TDL4 Rootkit | Grouped Behavior

Involved Hosts

Host	Resolved to	Country	City	Protocol
6zrt3vuwf-39qwkam.com				HTTP
127.0.0.1

Monitored Processes

Behavior Information - Grouped by Category

Process #1: cb91b8695d3990b5b5eae8a714bd357e.exe

(Host: 408, Network: 0)

Information	Value
ID / OS PID	#1 / 0x7d4
OS Parent PID	0x560 (c:\windows\explorer.exe)
Initial Working Directory	C:\Users\hJrD1KOKY DS8lUjv\Desktop
File Name	c:\users\hjrd1koky ds8lujv\desktop\cb91b8695d3990b5b5eae8a714bd357e.exe
Command Line	"C:\Users\hJrD1KOKY DS8lUjv\Desktop\cb91b8695d3990b5b5eae8a714bd357e.exe"
Monitor	Start Time: 00:00:10, Reason: Analysis Target
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:02:00
OS Thread IDs	# 1 0x 6C8 # 2 0x 720

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001d0000	0x001d0000	0x001dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000200000	0x00200000	0x0027ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000280000	0x00280000	0x002a5fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002e0000	0x002e0000	0x003dffff	Private Memory	Readable, Writable	Region Actions
cb91b8695d3990b5b5eae8a714bd357e.exe	0x00400000	0x00463fff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download
locale.nls	0x00470000	0x004d6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000004e0000	0x004e0000	0x00543fff	Private Memory	Readable	Region Actions
private_0x0000000000590000	0x00590000	0x005cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000650000	0x00650000	0x0065ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000660000	0x00660000	0x007e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007f0000	0x007f0000	0x00970fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000980000	0x00980000	0x01d7ffff	Pagefile Backed Memory	Readable	Region Actions
SortDefault.nls	0x01d80000	0x0204efff	Memory Mapped File	Readable	Region Actions
private_0x00000000021f0000	0x021f0000	0x021fffff	Private Memory	Readable, Writable	Region Actions
winspool.drv	0x749f0000	0x74a40fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x74a50000	0x74ad3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74ae0000	0x74ae7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74af0000	0x74b4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74b50000	0x74b8efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74c90000	0x74c9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ca0000	0x74cfffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74d00000	0x74d5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x74d90000	0x74eebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x74f60000	0x7500bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75010000	0x75104fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x751a0000	0x751f6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75200000	0x7528ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75290000	0x7538ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x75390000	0x753d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x75470000	0x7550cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75510000	0x75519fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75520000	0x75655fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75820000	0x7592ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75930000	0x759cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x759e0000	0x759ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x759f0000	0x75a7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x75a80000	0x75aa9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75ab0000	0x766f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x76700000	0x768fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76900000	0x769effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76a30000	0x76a48fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76a80000	0x76b4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x76b50000	0x76c6cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076d40000	0x76d40000	0x76e5efff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076e60000	0x76e60000	0x76f59fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f60000	0x77108fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77110000	0x77114fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77140000	0x772bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\hjrd1k~1\appdata\local\temp\c293.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855		File Actions Show Properties
c:\users\hjrd1k~1\appdata\local\temp\3bd8.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855		File Actions Show Properties

Host Behavior

File (6)

Operation	Filename	Additional Information	Count	Logfile
CREATE_TMPFILE	c:\users\hjrd1k~1\appdata\local\temp\c293.tmp	path = C:\Users\HJRD1K~1\AppData\Local\Temp\	1	Fn
CREATE_TMPFILE	c:\users\hjrd1k~1\appdata\local\temp\3bd8.tmp	path = C:\Users\HJRD1K~1\AppData\Local\Temp\	1	Fn
OPEN	c:	desired_access = SYNCHRONIZE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT	1	Fn
OPEN	\device\harddisk0\dr0	desired_access = SYNCHRONIZE, GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, open_options = FILE_SYNCHRONOUS_IO_NONALERT	1	Fn
MOVE	c:\users\hjrd1k~1\appdata\local\temp\3bd8.tmp	source_file_name = c:\users\hjrd1koky ds8lujv\desktop\cb91b8695d3990b5b5eae8a714bd357e.exe	1	Fn
MOVE	c:\users\hjrd1k~1\appdata\local\temp\3bd8.tmp		1	Fn

Module (134)

Operation	Module	Additional Information	Count	Logfile
LOAD	imagehlp.dll	base_address = 0x75a80000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77110000	1	Fn
LOAD	WININET.dll	base_address = 0x75010000	1	Fn
LOAD	SHELL32.dll	base_address = 0x75ab0000	1	Fn
LOAD	WINSPOOL.DRV	base_address = 0x749f0000	1	Fn
GET_HANDLE	c:\windows\syswow64\kernel32.dll	base_address = 0x75820000	2	Fn
GET_HANDLE	c:\windows\syswow64\advapi32.dll	base_address = 0x75930000	1	Fn
GET_HANDLE	c:\windows\syswow64\ntdll.dll	base_address = 0x77140000	2	Fn
GET_HANDLE	c:\windows\syswow64\shlwapi.dll	base_address = 0x751a0000	1	Fn
GET_HANDLE	imagehlp.dll	base_address = 0x0	1	Fn
GET_HANDLE	PSAPI.DLL	base_address = 0x0	1	Fn
GET_HANDLE	c:\windows\syswow64\rpcrt4.dll	base_address = 0x76900000	1	Fn
GET_HANDLE	WININET.dll	base_address = 0x0	1	Fn
GET_HANDLE	SHELL32.dll	base_address = 0x0	1	Fn
GET_HANDLE	c:\windows\syswow64\ole32.dll	base_address = 0x74d90000	1	Fn
GET_HANDLE	WINSPOOL.DRV	base_address = 0x0	1	Fn
GET_HANDLE	c:\users\hjrd1koky ds8lujv\desktop\cb91b8695d3990b5b5eae8a714bd357e.exe	base_address = 0x400000	1	Fn
GET_FILENAME	WINSPOOL.DRV	file_name = C:\Users\hJrD1KOKY DS8lUjv\Desktop\cb91b8695d3990b5b5eae8a714bd357e.exe	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = StrCmpNIA, address = 0x751ad11c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetTempPathA, address = 0x7585276c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address = 0x75831222	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleA, address = 0x75831245	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CopyFileA, address = 0x758558e5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LoadLibraryExA, address = 0x75834913	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address = 0x758334c8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = DeleteFileA, address = 0x75835444	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetPrivateProfileIntA, address = 0x7585cdd7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetPrivateProfileStringA, address = 0x7584184c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WritePrivateProfileStringA, address = 0x75857048	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateFileA, address = 0x758353c6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WriteFile, address = 0x75831282	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address = 0x75831410	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetTempFileNameA, address = 0x75859d3f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetSystemTime, address = 0x75835a96	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetFileAttributesA, address = 0x75835414	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = DeviceIoControl, address = 0x7583322f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SystemTimeToFileTime, address = 0x75835a7e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address = 0x758311f8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FreeLibraryAndExitThread, address = 0x7584d582	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address = 0x75831809	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address = 0x75833f5c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetFileSize, address = 0x7583196e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = ReadFile, address = 0x75833ed3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address = 0x758317d1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetEndOfFile, address = 0x7584ce2e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address = 0x758334b0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CopyFileW, address = 0x7585830d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateFileMappingA, address = 0x75835506	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = MapViewOfFile, address = 0x758318f1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = UnmapViewOfFile, address = 0x75831826	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = Sleep, address = 0x758310ff	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address = 0x758389b3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address = 0x75837a10	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCommandLineA, address = 0x758351a1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateThread, address = 0x758334d5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x75833509	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualProtect, address = 0x7583435f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address = 0x7583186e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetLastError, address = 0x758311c0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetVersionExA, address = 0x75833519	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = MoveFileExW, address = 0x75849b2d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetTempFileNameW, address = 0x7585d1b6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetTempPathW, address = 0x7584d4dc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address = 0x75834950	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetWindowsDirectoryW, address = 0x758343e2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address = 0x75831856	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = QueryServiceStatusEx, address = 0x7593798c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = StartServiceA, address = 0x75973543	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = OpenSCManagerA, address = 0x75942bd8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = OpenServiceA, address = 0x75942bf0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = GetUserNameW, address = 0x7594157a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = OpenProcessToken, address = 0x75944304	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address = 0x7594469d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = RegSetValueExA, address = 0x759414b3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = RegCreateKeyA, address = 0x7593cd01	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = CloseServiceHandle, address = 0x7594369c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlComputeCrc32, address = 0x771fffc1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrAddRefDll, address = 0x7717ffdd	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwImpersonateThread, address = 0x77160d34	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwOpenThread, address = 0x77161128	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlEqualUnicodeString, address = 0x7716e7f3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwQueryInformationToken, address = 0x7715fb98	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = wcsncpy, address = 0x77215755	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwOpenFile, address = 0x7715fd54	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwClose, address = 0x7715f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwLoadDriver, address = 0x77160de4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strncat, address = 0x771bc570	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwCreateEvent, address = 0x7715ff64	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlInitUnicodeString, address = 0x7716e208	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _snwprintf, address = 0x77172417	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = atoi, address = 0x7718d2f3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwTestAlert, address = 0x77161db0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlRandom, address = 0x772098c3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwRaiseHardError, address = 0x771615f4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlAdjustPrivilege, address = 0x771f1f40	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwQuerySystemInformation, address = 0x7715fda0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = sscanf, address = 0x772154a7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strncpy, address = 0x771b5c30	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _chkstk, address = 0x7717ad68	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = memcpy, address = 0x77162340	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _snprintf, address = 0x77214760	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlImageNtHeader, address = 0x77173164	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwDeviceIoControlFile, address = 0x7715f8fc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = memset, address = 0x7716df20	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = StrStrIW, address = 0x751b46e9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = SHDeleteKeyA, address = 0x751cd9f6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsW, address = 0x751b45bf	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = StrStrIA, address = 0x751ad250	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsA, address = 0x751dad1a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathAppendA, address = 0x751ad65e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathFindFileNameW, address = 0x751bbb71	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = SHGetValueA, address = 0x751acf09	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x751ce20b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\imagehlp.dll	function = CheckSumMappedFile, address = 0x75a88303	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\psapi.dll	function = GetMappedFileNameW, address = 0x7711162e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\rpcrt4.dll	function = UuidCreateSequential, address = 0x76927c12	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetCrackUrlA, address = 0x7501d075	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetConnectA, address = 0x750349e9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = HttpOpenRequestA, address = 0x75034c7d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = HttpSendRequestA, address = 0x750a18f8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetQueryOptionA, address = 0x75021b56	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetSetOptionA, address = 0x750275e8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address = 0x7502ab49	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address = 0x7503f18e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shell32.dll	function = ShellExecuteW, address = 0x75ac3c71	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ole32.dll	function = CoCreateInstance, address = 0x74dd9d0b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ole32.dll	function = CoInitialize, address = 0x74dab636	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ole32.dll	function = CoUninitialize, address = 0x74dd86d3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\winspool.drv	function = DeletePrintProvidorW, address = 0x74a040cc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\winspool.drv	function = AddPrintProvidorW, address = 0x749ff612	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = IsWow64Process, address = 0x7583195e	1	Fn

Driver (267)

Operation	Additional Information	Count	Logfile
CONTROL	control_code = 0x560000	1	Fn
CONTROL	control_code = 0x4d014	265	Fn
CONTROL	control_code = 0x4d014	1	Fn

User (1)

Operation	User/Group/Server	Additional Information	Success	Count	Logfile
SET_PRIVILEGE	Localhost	privilege = SeShutdownPrivilege, enable_privilege = 1		1	Fn

Process #2: System

Information	Value
ID / OS PID	#2 / 0x4
OS Parent PID	0xffffffffffffffff (Unknown)
Initial Working Directory
File Name	System
Command Line
Monitor	Start Time: 00:00:52, Reason: Kernel Analysis
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:01:18
OS Thread IDs	# 3 0x 8 # 4 0x 14 # 5 0x 2C # 6 0x 50 # 7 0x 58 # 8 0x 5C # 9 0x 6C # 10 0x 44 # 11 0x 98 # 12 0x 9C # 13 0x 40 # 14 0x 94 # 15 0x 3C # 16 0x 64 # 17 0x 34 # 18 0x AC # 19 0x 28 # 20 0x B0 # 21 0x C0 # 22 0x B8 # 23 0x 30 # 24 0x 24 # 25 0x D0 # 26 0x 38 # 27 0x 20 # 28 0x BC # 30 0x F8 # 31 0x F4 # 32 0x F0 # 33 0x EC # 34 0x E8 # 36 0x 4C # 38 0x 104 # 39 0x 118 # 40 0x 48 # 41 0x 78 # 42 0x 11C # 43 0x 128 # 44 0x 134 # 45 0x 124 # 48 0x 80 # 49 0x 12C # 51 0x 14C # 52 0x 150 # 53 0x 154 # 54 0x 158 # 63 0x 68 # 75 0x 1B0 # 83 0x A8 # 89 0x 8C # 95 0x 120 # 97 0x 84 # 123 0x 90 # 125 0x 60 # 126 0x 74 # 131 0x 28C # 158 0x 300 # 179 0x 88 # 216 0x 3F4 # 255 0x 38C # 276 0x B4 # 298 0x 4AC # 315 0x 500 # 373 0x 508 # 377 0x 504 # 380 0x 61C # 382 0x 624 # 398 0x 664 # 409 0x 690 # 432 0x 6F4 # 441 0x 718 # 458 0x 75C # 460 0x 764 # 462 0x 76C # 463 0x 770 # 464 0x 774 # 466 0x 77C # 492 0x 1C # 502 0x 44C # 532 0x CC # 533 0x C8
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Monitored	Dump	YARA Match	Actions
pagefile_0x0000000000010000	0x00010000	0x00032fff	Pagefile Backed Memory	Readable, Writable				Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable				Region Actions

Process #3: smss.exe

Information	Value
ID / OS PID	#3 / 0xfc
OS Parent PID	0x4 (System)
Initial Working Directory	C:\Windows
File Name	c:\windows\system32\smss.exe
Command Line	\SystemRoot\System32\smss.exe
Monitor	Start Time: 00:01:00, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:01:10
OS Thread IDs	# 29 0x 100 # 35 0x 108 # 46 0x 138 # 59 0x 17C
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x (null)	0x00000000	0x000fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00101fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
smss.exe	0x48160000	0x4817ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #4: autochk.exe

Information	Value
ID / OS PID	#4 / 0x10c
OS Parent PID	0xfc (c:\windows\system32\smss.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\autochk.exe
Command Line	\??\C:\Windows\system32\autochk.exe *
Monitor	Start Time: 00:01:05, Reason: Child Process
Unmonitor	End Time: 00:01:06, Reason: Terminated
Monitor Duration	00:00:01
OS Thread IDs	# 37 0x 110
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0010ffff	Private Memory	Readable, Writable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
autochk.exe	0xffb90000	0xffc50fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #5: smss.exe

Information	Value
ID / OS PID	#5 / 0x13c
OS Parent PID	0xfc (c:\windows\system32\smss.exe)
Initial Working Directory	C:\Windows
File Name	c:\windows\system32\smss.exe
Command Line	\SystemRoot\System32\smss.exe 00000000 0000003c
Monitor	Start Time: 00:01:09, Reason: Child Process
Unmonitor	End Time: 00:01:11, Reason: Terminated
Monitor Duration	00:00:02
OS Thread IDs	# 47 0x 140
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
smss.exe	0x48160000	0x4817ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #6: csrss.exe

Information	Value
ID / OS PID	#6 / 0x144
OS Parent PID	0x13c (c:\windows\system32\smss.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\csrss.exe
Command Line	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Monitor	Start Time: 00:01:10, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:01:00
OS Thread IDs	# 50 0x 148 # 55 0x 15C # 56 0x 160 # 57 0x 164 # 58 0x 168 # 68 0x 198 # 76 0x 1BC # 77 0x 1C0 # 84 0x 1E0 # 86 0x 1F4
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x (null)	0x00000000	0x000fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00113fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	Readable, Writable, Executable	Region Actions
locale.nls	0x00130000	0x00196fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001d0000	0x001d0000	0x001dffff	Pagefile Backed Memory	Readable, Writable	Region Actions
marlett.ttf	0x001e0000	0x001e6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000001f0000	0x001f0000	0x00207fff	Pagefile Backed Memory	Readable	Region Actions
vgasys.fon	0x00210000	0x00211fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000220000	0x00220000	0x00220fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000240000	0x00240000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x0034ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000350000	0x00350000	0x0037ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003b0000	0x003b0000	0x004affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004b0000	0x004b0000	0x00630fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000640000	0x00640000	0x00a32fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000a70000	0x00a70000	0x00aaffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ad0000	0x00ad0000	0x00b0ffff	Private Memory	Readable, Writable	Region Actions
segoeui.ttf	0x00b10000	0x00b8efff	Memory Mapped File	Readable	Region Actions
private_0x0000000000bb0000	0x00bb0000	0x00beffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c00000	0x00c00000	0x00c3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c80000	0x00c80000	0x00cbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ce0000	0x00ce0000	0x00d1ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000d20000	0x00d20000	0x00ea7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000f40000	0x00f40000	0x00f7ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000f80000	0x00f80000	0x0237ffff	Pagefile Backed Memory	Readable	Region Actions
csrss.exe	0x4a600000	0x4a605fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x7fefdaa0000	0x7fefdb30fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxssrv.dll	0x7fefdbb0000	0x7fefdbbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsrv.dll	0x7fefdbc0000	0x7fefdbf7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
basesrv.dll	0x7fefdc00000	0x7fefdc10fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
csrsrv.dll	0x7fefdc20000	0x7fefdc32fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #7: smss.exe

Information	Value
ID / OS PID	#7 / 0x16c
OS Parent PID	0xfc (c:\windows\system32\smss.exe)
Initial Working Directory	C:\Windows
File Name	c:\windows\system32\smss.exe
Command Line	\SystemRoot\System32\smss.exe 00000001 0000003c
Monitor	Start Time: 00:01:11, Reason: Child Process
Unmonitor	End Time: 00:01:11, Reason: Terminated
Monitor Duration	00:00:00
OS Thread IDs	# 60 0x 170
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0010ffff	Private Memory	Readable, Writable	Region Actions
smss.exe	0x48160000	0x4817ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #8: wininit.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#8 / 0x174
OS Parent PID	0x13c (c:\windows\system32\smss.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\wininit.exe
Command Line	wininit.exe
Monitor	Start Time: 00:01:11, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:59
OS Thread IDs	# 61 0x 178 # 71 0x 1A8 # 72 0x 1AC # 79 0x 1C8 # 80 0x 1CC # 82 0x 1DC # 96 0x 20C # 144 0x 2CC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x00016fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00021fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x0012ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000130000	0x00130000	0x00130fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x0014ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000150000	0x00150000	0x00156fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000160000	0x00160000	0x00161fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x00170fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000180000	0x00180000	0x00180fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00210000	0x00276fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000280000	0x00280000	0x002affff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000002f0000	0x002f0000	0x002fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000300000	0x00300000	0x003fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000400000	0x00400000	0x00587fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000590000	0x00590000	0x00710fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000720000	0x00720000	0x00b12fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000b60000	0x00b60000	0x00bdffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c30000	0x00c30000	0x00caffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cb0000	0x00cb0000	0x00d2ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00e10000	0x010defff	Memory Mapped File	Readable	Region Actions
private_0x0000000001150000	0x01150000	0x011cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011d0000	0x011d0000	0x0124ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001300000	0x01300000	0x0137ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001380000	0x01380000	0x013fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001420000	0x01420000	0x0149ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000014a0000	0x014a0000	0x0289ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002990000	0x02990000	0x02a0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ab0000	0x02ab0000	0x02b2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b30000	0x02b30000	0x02baffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
wininit.exe	0xffc10000	0xffc32fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WSHTCPIP.DLL	0x7fefce30000	0x7fefce36fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefd060000	0x7fefd069fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd420000	0x7fefd426fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd430000	0x7fefd484fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd490000	0x7fefd4a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefda00000	0x7fefda0afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefda60000	0x7fefda84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KBDUS.DLL	0x7fefdb30000	0x7fefdb33fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefdb40000	0x7fefdb53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefdba0000	0x7fefdbaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feff1e0000	0x7feff22cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feffce0000	0x7feffce7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\system32\wininit.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #9: csrss.exe

Information	Value
ID / OS PID	#9 / 0x180
OS Parent PID	0x16c (c:\windows\system32\smss.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\csrss.exe
Command Line	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Monitor	Start Time: 00:01:11, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:59
OS Thread IDs	# 62 0x 184 # 64 0x 188 # 65 0x 18C # 66 0x 190 # 67 0x 194 # 70 0x 1A4 # 78 0x 1C4 # 81 0x 1D0
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x (null)	0x00000000	0x000fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00113fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	Readable, Writable, Executable	Region Actions
locale.nls	0x00130000	0x00196fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001c0fff	Private Memory	Readable, Writable	Region Actions
vgasys.fon	0x001d0000	0x001d1fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001e0000	0x001e0000	0x001e0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001f0000	0x001f0000	0x001fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
marlett.ttf	0x00200000	0x00206fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000210000	0x00210000	0x00211fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000220000	0x00220000	0x0025ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x0038ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000390000	0x00390000	0x0048ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000490000	0x00490000	0x00610fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000620000	0x00620000	0x00637fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000650000	0x00650000	0x0065ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000660000	0x00660000	0x0066ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000670000	0x00670000	0x00a62fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000a70000	0x00a70000	0x00a7ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000a80000	0x00a80000	0x00a8ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000aa0000	0x00aa0000	0x00adffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000ae0000	0x00ae0000	0x00aeffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000b30000	0x00b30000	0x00b6ffff	Private Memory	Readable, Writable	Region Actions
segoeuii.ttf	0x00b70000	0x00bcefff	Memory Mapped File	Readable	Region Actions
private_0x0000000000be0000	0x00be0000	0x00c1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c80000	0x00c80000	0x00cbffff	Private Memory	Readable, Writable	Region Actions
segoeui.ttf	0x00cc0000	0x00d3efff	Memory Mapped File	Readable	Region Actions
private_0x0000000000d50000	0x00d50000	0x00d8ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000d90000	0x00d90000	0x00f17fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000f20000	0x00f20000	0x00f5ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000f60000	0x00f60000	0x0235ffff	Pagefile Backed Memory	Readable	Region Actions
micross.ttf	0x02360000	0x023fffff	Memory Mapped File	Readable	Region Actions
csrss.exe	0x4a600000	0x4a605fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x7fefdaa0000	0x7fefdb30fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxssrv.dll	0x7fefdbb0000	0x7fefdbbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsrv.dll	0x7fefdbc0000	0x7fefdbf7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
basesrv.dll	0x7fefdc00000	0x7fefdc10fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
csrsrv.dll	0x7fefdc20000	0x7fefdc32fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #10: winlogon.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#10 / 0x19c
OS Parent PID	0x16c (c:\windows\system32\smss.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\winlogon.exe
Command Line	winlogon.exe
Monitor	Start Time: 00:01:11, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:59
OS Thread IDs	# 69 0x 1A0 # 73 0x 1B4 # 74 0x 1B8 # 149 0x 2DC # 163 0x 318 # 228 0x 140 # 229 0x 158 # 237 0x 1C8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x00016fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00021fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x0004ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000250000	0x00250000	0x00251fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000260000	0x00260000	0x00260fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x00270fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000280000	0x00280000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000290000	0x00290000	0x002bffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002c0000	0x002c0000	0x002d7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000002e0000	0x002e0000	0x003dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003e0000	0x003e0000	0x00567fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000570000	0x00570000	0x006f0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000700000	0x00700000	0x00af2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000b00000	0x00b00000	0x00b7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000b90000	0x00b90000	0x00b90fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000bd0000	0x00bd0000	0x00c4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c50000	0x00c50000	0x00ccffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d10000	0x00d10000	0x00d8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000da0000	0x00da0000	0x00e1ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00e50000	0x0111efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001200000	0x01200000	0x0127ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000012a0000	0x012a0000	0x0131ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001370000	0x01370000	0x013effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001470000	0x01470000	0x014effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001510000	0x01510000	0x0158ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001640000	0x01640000	0x016bffff	Private Memory	Readable, Writable	Region Actions
aero.msstyles	0x016c0000	0x017ddfff	Memory Mapped File	Readable	Region Actions
private_0x00000000016c0000	0x016c0000	0x0173ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001810000	0x01810000	0x0188ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001890000	0x01890000	0x0198ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000019f0000	0x019f0000	0x01a6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a70000	0x01a70000	0x0246ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001a70000	0x01a70000	0x02e6ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002e70000	0x02e70000	0x02f6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003030000	0x03030000	0x030affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000031b0000	0x031b0000	0x0322ffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
winlogon.exe	0xffc30000	0xffc91fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x7fefb580000	0x7fefb597fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
UXInit.dll	0x7fefb730000	0x7fefb739fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb740000	0x7fefb74afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x7fefbd90000	0x7fefbda4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x7fefbdb0000	0x7fefbdbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WindowsCodecs.dll	0x7fefbf20000	0x7fefc049fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc4c0000	0x7fefc515fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd190000	0x7fefd1d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd490000	0x7fefd4a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netjoin.dll	0x7fefd5a0000	0x7fefd5d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefda60000	0x7fefda84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefdb40000	0x7fefdb53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefdb60000	0x7fefdb9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefdba0000	0x7fefdbaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\system32\winlogon.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #11: services.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#11 / 0x1d4
OS Parent PID	0x174 (c:\windows\system32\wininit.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\services.exe
Command Line	C:\Windows\system32\services.exe
Monitor	Start Time: 00:01:13, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:57
OS Thread IDs	# 85 0x 1D8 # 103 0x 224 # 104 0x 228 # 105 0x 22C # 106 0x 230 # 107 0x 234 # 108 0x 238 # 109 0x 23C # 110 0x 240 # 111 0x 244 # 112 0x 248 # 113 0x 24C # 130 0x 288 # 232 0x 13C # 324 0x 530 # 341 0x 580 # 348 0x 59C # 351 0x 5A8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x00016fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x0006ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000140000	0x00140000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000150000	0x00150000	0x0020ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x0038ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003b0000	0x003b0000	0x004affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004b0000	0x004b0000	0x00637fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000640000	0x00640000	0x007c0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007d0000	0x007d0000	0x00bc2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c10000	0x00c10000	0x00c8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d50000	0x00d50000	0x00d8ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00d90000	0x0105efff	Memory Mapped File	Readable	Region Actions
private_0x00000000010b0000	0x010b0000	0x0112ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011a0000	0x011a0000	0x0121ffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
services.exe	0xffe90000	0xffee2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ubpm.dll	0x7fefd020000	0x7fefd058fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefd060000	0x7fefd069fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd490000	0x7fefd4a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
authz.dll	0x7fefd660000	0x7fefd68efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x7fefd960000	0x7fefd982fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
scesrv.dll	0x7fefd990000	0x7fefd9f6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefda00000	0x7fefda0afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
scext.dll	0x7fefda10000	0x7fefda28fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefda60000	0x7fefda84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefdb40000	0x7fefdb53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefdba0000	0x7fefdbaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\system32\services.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #12: lsass.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#12 / 0x1e4
OS Parent PID	0x174 (c:\windows\system32\wininit.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\lsass.exe
Command Line	C:\Windows\system32\lsass.exe
Monitor	Start Time: 00:01:13, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:57
OS Thread IDs	# 87 0x 1E8 # 90 0x 1F8 # 91 0x 1FC # 92 0x 200 # 93 0x 204 # 94 0x 208 # 98 0x 210 # 99 0x 214 # 100 0x 218 # 101 0x 21C # 102 0x 220 # 169 0x 330 # 170 0x 338 # 236 0x 120 # 264 0x 420

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x00010fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x0006ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x0007ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000a0000	0x000a0000	0x000affff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000000b0000	0x000b0000	0x000b6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00150000	0x001b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001c0000	0x001c0000	0x002bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002c0000	0x002c0000	0x003bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003c0000	0x003c0000	0x00547fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000550000	0x00550000	0x006d0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006e0000	0x006e0000	0x0079ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007a0000	0x007a0000	0x007affff	Pagefile Backed Memory	Readable, Writable	Region Actions
C_28591.NLS	0x007b0000	0x007c0fff	Memory Mapped File	Readable	Region Actions
private_0x00000000007d0000	0x007d0000	0x007d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007e0000	0x007e0000	0x007e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007f0000	0x007f0000	0x0086ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000870000	0x00870000	0x00870fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000880000	0x00880000	0x00880fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000890000	0x00890000	0x00890fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008a0000	0x008a0000	0x008a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008b0000	0x008b0000	0x008b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008c0000	0x008c0000	0x008c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008d0000	0x008d0000	0x008d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008e0000	0x008e0000	0x008e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008f0000	0x008f0000	0x0096ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00980000	0x00c4efff	Memory Mapped File	Readable	Region Actions
private_0x0000000000c90000	0x00c90000	0x00d0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d10000	0x00d10000	0x00d8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000da0000	0x00da0000	0x00e1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e30000	0x00e30000	0x00eaffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ec0000	0x00ec0000	0x00f3ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000f40000	0x00f40000	0x01332fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001350000	0x01350000	0x013cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001400000	0x01400000	0x0147ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001480000	0x01480000	0x0157ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014c0000	0x014c0000	0x0153ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001580000	0x01580000	0x015fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001650000	0x01650000	0x016cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001700000	0x01700000	0x0177ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001750000	0x01750000	0x017cffff	Private Memory	Readable, Writable	Region Actions
msprivs.dll	0x75970000	0x75971fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
lsass.exe	0xffe50000	0xffe5bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb680000	0x7fefb68afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IPHLPAPI.DLL	0x7fefb690000	0x7fefb6b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x7fefbdb0000	0x7fefbdbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefcf50000	0x7fefcf6dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefd060000	0x7fefd069fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
scecli.dll	0x7fefd070000	0x7fefd0adfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefd0a0000	0x7fefd0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
efslsaext.dll	0x7fefd0b0000	0x7fefd0c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x7fefd0d0000	0x7fefd11bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pku2u.dll	0x7fefd120000	0x7fefd164fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
TSpkg.dll	0x7fefd170000	0x7fefd187fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd190000	0x7fefd1d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wdigest.dll	0x7fefd1e0000	0x7fefd215fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
schannel.dll	0x7fefd220000	0x7fefd276fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
logoncli.dll	0x7fefd280000	0x7fefd2affff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x7fefd2b0000	0x7fefd30afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netlogon.dll	0x7fefd310000	0x7fefd3bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msv1_0.dll	0x7fefd3c0000	0x7fefd410fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd420000	0x7fefd426fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd430000	0x7fefd484fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd490000	0x7fefd4a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kerberos.dll	0x7fefd4b0000	0x7fefd563fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
negoexts.dll	0x7fefd570000	0x7fefd593fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netjoin.dll	0x7fefd5a0000	0x7fefd5d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x7fefd5e0000	0x7fefd601fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ncrypt.dll	0x7fefd610000	0x7fefd65dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
authz.dll	0x7fefd660000	0x7fefd68efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cngaudit.dll	0x7fefd690000	0x7fefd698fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefd6a0000	0x7fefd70cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptdll.dll	0x7fefd710000	0x7fefd723fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samsrv.dll	0x7fefd730000	0x7fefd7ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lsasrv.dll	0x7fefd7f0000	0x7fefd956fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefda00000	0x7fefda0afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspisrv.dll	0x7fefda50000	0x7fefda5afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefda60000	0x7fefda84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefdb40000	0x7fefdb53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefdb60000	0x7fefdb9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefdba0000	0x7fefdbaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feff1e0000	0x7feff22cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feffce0000	0x7feffce7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\system32\lsass.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #13: lsm.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#13 / 0x1ec
OS Parent PID	0x174 (c:\windows\system32\wininit.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\lsm.exe
Command Line	C:\Windows\system32\lsm.exe
Monitor	Start Time: 00:01:13, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:57
OS Thread IDs	# 88 0x 1F0 # 115 0x 258 # 146 0x 2D0 # 148 0x 2D8 # 150 0x 2E0 # 151 0x 2E4 # 153 0x 2EC # 156 0x 2F8 # 157 0x 2FC # 159 0x 304

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x0006ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
lsm.exe.mui	0x00100000	0x00101fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000160000	0x00160000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x002effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000300000	0x00300000	0x003fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x004fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000500000	0x00500000	0x00687fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000690000	0x00690000	0x00810fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000820000	0x00820000	0x008dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000009e0000	0x009e0000	0x00a5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ab0000	0x00ab0000	0x00b2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000bc0000	0x00bc0000	0x00c3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c40000	0x00c40000	0x00cbffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00d20000	0x00feefff	Memory Mapped File	Readable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
lsm.exe	0xffae0000	0xffb36fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcwum.dll	0x7fefcef0000	0x7fefcefcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefd060000	0x7fefd069fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd490000	0x7fefd4a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefda00000	0x7fefda0afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wmsgapi.dll	0x7fefda30000	0x7fefda37fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sysntfy.dll	0x7fefda40000	0x7fefda49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefda60000	0x7fefda84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefdb40000	0x7fefdb53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\system32\lsm.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #14: svchost.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#14 / 0x250
OS Parent PID	0x1d4 (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe -k DcomLaunch
Monitor	Start Time: 00:01:16, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:54
OS Thread IDs	# 114 0x 254 # 116 0x 25C # 117 0x 260 # 118 0x 264 # 119 0x 268 # 120 0x 26C # 121 0x 270 # 122 0x 274 # 124 0x 278 # 127 0x 27C # 128 0x 280 # 129 0x 284 # 132 0x 290 # 134 0x 29C # 135 0x 2A0 # 136 0x 2A4 # 171 0x 334 # 442 0x 71C # 443 0x 720 # 454 0x 74C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x00010fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00020fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x0006ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x001bffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x001c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000260000	0x00260000	0x00260fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000270000	0x00270000	0x00270fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000280000	0x00280000	0x00280fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000290000	0x00290000	0x00290fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000002f0000	0x002f0000	0x003effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x004effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004f0000	0x004f0000	0x00677fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000680000	0x00680000	0x00800fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000810000	0x00810000	0x00c02fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c20000	0x00c20000	0x00c9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cd0000	0x00cd0000	0x00d4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d50000	0x00d50000	0x00dcffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000de0000	0x00de0000	0x00e5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e70000	0x00e70000	0x00eeffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f70000	0x00f70000	0x00feffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000fa0000	0x00fa0000	0x0101ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x01060000	0x0132efff	Memory Mapped File	Readable	Region Actions
private_0x00000000013d0000	0x013d0000	0x0144ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001490000	0x01490000	0x0149ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014f0000	0x014f0000	0x0156ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001570000	0x01570000	0x0166ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001670000	0x01670000	0x016effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016f0000	0x016f0000	0x0176ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000017e0000	0x017e0000	0x0185ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000018a0000	0x018a0000	0x0191ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001940000	0x01940000	0x019bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000019d0000	0x019d0000	0x01a4ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000019e0000	0x019e0000	0x01a5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a70000	0x01a70000	0x01aeffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b20000	0x01b20000	0x01b9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001bd0000	0x01bd0000	0x01c4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c50000	0x01c50000	0x01d4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001db0000	0x01db0000	0x01e2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f70000	0x01f70000	0x01feffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xff1c0000	0xff1cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemprox.dll	0x7fef80a0000	0x7fef80aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdsapi.dll	0x7fef8250000	0x7fef8276fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fastprox.dll	0x7fef8280000	0x7fef8361fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WmiDcPrv.dll	0x7fef8370000	0x7fef83a1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemcomn.dll	0x7fef87c0000	0x7fef8845fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefbb30000	0x7fefbb5cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefbef0000	0x7fefbf00fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcss.dll	0x7fefce60000	0x7fefcee0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x7fefcec0000	0x7fefceebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcwum.dll	0x7fefcef0000	0x7fefcefcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
umpo.dll	0x7fefcf00000	0x7fefcf2bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7fefcf30000	0x7fefcf4afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefcf50000	0x7fefcf6dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devrtl.dll	0x7fefcf70000	0x7fefcf81fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
SPInf.dll	0x7fefcf90000	0x7fefcfaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
umpnpmgr.dll	0x7fefcfb0000	0x7fefd016fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefd060000	0x7fefd069fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd490000	0x7fefd4a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefda60000	0x7fefda84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefdb40000	0x7fefdb53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefdb60000	0x7fefdb9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefdba0000	0x7fefdbaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefddc0000	0x7fefddf5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefde70000	0x7fefde89fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x7fefdf30000	0x7fefdf69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feff1e0000	0x7feff22cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7feff310000	0x7feff4e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff570000	0x7feff608fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x7feff680000	0x7feff6d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feffce0000	0x7feffce7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff9a000	0x7fffff9a000	0x7fffff9bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\system32\svchost.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #15: svchost.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#15 / 0x294
OS Parent PID	0x1d4 (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe -k RPCSS
Monitor	Start Time: 00:01:17, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:53
OS Thread IDs	# 133 0x 298 # 137 0x 2A8 # 138 0x 2AC # 139 0x 2B0 # 140 0x 2B4 # 141 0x 2B8 # 142 0x 2BC # 143 0x 2C0 # 339 0x 574 # 456 0x 754 # 459 0x 760 # 478 0x 7B4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x00010fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00020fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x0006ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000210000	0x00210000	0x002cffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000300000	0x00300000	0x003fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x004fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000520000	0x00520000	0x0059ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005e0000	0x005e0000	0x005effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005f0000	0x005f0000	0x00777fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000780000	0x00780000	0x00900fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000910000	0x00910000	0x00d02fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000d50000	0x00d50000	0x00dcffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000df0000	0x00df0000	0x00e6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e80000	0x00e80000	0x00efffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00f90000	0x0125efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001280000	0x01280000	0x012fffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013f0000	0x013f0000	0x0146ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001520000	0x01520000	0x0159ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015f0000	0x015f0000	0x0166ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001670000	0x01670000	0x0176ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000017e0000	0x017e0000	0x0185ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001990000	0x01990000	0x01a0ffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xff1c0000	0xff1cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FWPUCLNT.DLL	0x7fefacc0000	0x7fefad12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcd60000	0x7fefcd6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FirewallAPI.dll	0x7fefcd70000	0x7fefce2afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WSHTCPIP.DLL	0x7fefce30000	0x7fefce36fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcEpMap.dll	0x7fefce40000	0x7fefce53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcss.dll	0x7fefce60000	0x7fefcee0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefd060000	0x7fefd069fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd190000	0x7fefd1d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd420000	0x7fefd426fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd430000	0x7fefd484fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd490000	0x7fefd4a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefda00000	0x7fefda0afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefda60000	0x7fefda84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefdb40000	0x7fefdb53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feff1e0000	0x7feff22cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff570000	0x7feff608fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feffce0000	0x7feffce7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\system32\svchost.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #16: svchost.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#16 / 0x2c4
OS Parent PID	0x1d4 (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
Monitor	Start Time: 00:01:17, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:53
OS Thread IDs	# 145 0x 2C8 # 147 0x 2D4 # 152 0x 2E8 # 154 0x 2F0 # 155 0x 2F4 # 161 0x 310 # 162 0x 314 # 176 0x 350 # 177 0x 354 # 178 0x 358 # 180 0x 35C # 181 0x 360 # 202 0x 3B8 # 203 0x 3BC # 204 0x 3C0 # 207 0x 3D0 # 209 0x 3D8 # 266 0x 42C # 271 0x 444 # 273 0x 450 # 279 0x 468 # 284 0x 47C # 285 0x 480 # 346 0x 594 # 391 0x 648 # 396 0x 658 # 399 0x 668 # 400 0x 66C # 410 0x 698 # 412 0x 6A0 # 413 0x 6A4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x0006ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x000effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00101fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000130000	0x00130000	0x00130fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000140000	0x00140000	0x0023ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00240000	0x002a6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000002b0000	0x002b0000	0x003affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003b0000	0x003b0000	0x003effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x003fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000400000	0x00400000	0x00587fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000590000	0x00590000	0x00710fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000720000	0x00720000	0x007dffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007e0000	0x007e0000	0x00bd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000be0000	0x00be0000	0x00bfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c00000	0x00c00000	0x00c1ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c20000	0x00c20000	0x00c20fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c30000	0x00c30000	0x00c30fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c40000	0x00c40000	0x00c40fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c50000	0x00c50000	0x00c50fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000c90000	0x00c90000	0x00d0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d50000	0x00d50000	0x00dcffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000dd0000	0x00dd0000	0x00e4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e50000	0x00e50000	0x00ecffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00f20000	0x011eefff	Memory Mapped File	Readable	Region Actions
private_0x0000000001220000	0x01220000	0x0129ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000012e0000	0x012e0000	0x0135ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001360000	0x01360000	0x0145ffff	Private Memory	Readable, Writable	Region Actions
winlogon.exe	0x01460000	0x014c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000001470000	0x01470000	0x014effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001520000	0x01520000	0x0159ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015c0000	0x015c0000	0x0163ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001650000	0x01650000	0x016cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016d0000	0x016d0000	0x016d7fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001730000	0x01730000	0x017affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001800000	0x01800000	0x0187ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001880000	0x01880000	0x018fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001900000	0x01900000	0x019fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a20000	0x01a20000	0x01a9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a50000	0x01a50000	0x01acffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ae0000	0x01ae0000	0x01b5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001bb0000	0x01bb0000	0x01c2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c90000	0x01c90000	0x01d0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d10000	0x01d10000	0x01f0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f50000	0x01f50000	0x01fcffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002010000	0x02010000	0x0208ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000020d0000	0x020d0000	0x0214ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002180000	0x02180000	0x021fffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000022c0000	0x022c0000	0x0233ffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xff1c0000	0xff1cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winlogon.exe	0xffc30000	0xffc91fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
services.exe	0xffe90000	0xffee2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x7fefac70000	0x7fefac87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc6.dll	0x7fefac90000	0x7fefaca0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcore6.dll	0x7fefad50000	0x7fefad8afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcore.dll	0x7fefad90000	0x7fefade0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nrpsrv.dll	0x7fefae00000	0x7fefae07fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lmhsvc.dll	0x7fefae10000	0x7fefae19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb680000	0x7fefb68afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IPHLPAPI.DLL	0x7fefb690000	0x7fefb6b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
avrt.dll	0x7fefbb60000	0x7fefbb68fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
audiosrv.dll	0x7fefbb70000	0x7fefbc1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
MMDevAPI.dll	0x7fefc0b0000	0x7fefc0fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc520000	0x7fefc64bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x7fefcb90000	0x7fefcbbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtsvc.dll	0x7fefcbc0000	0x7fefcd55fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcd60000	0x7fefcd6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FirewallAPI.dll	0x7fefcd70000	0x7fefce2afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WSHTCPIP.DLL	0x7fefce30000	0x7fefce36fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7fefcf30000	0x7fefcf4afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefd060000	0x7fefd069fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x7fefd2b0000	0x7fefd30afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd420000	0x7fefd426fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd430000	0x7fefd484fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd490000	0x7fefd4a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefd6a0000	0x7fefd70cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefda00000	0x7fefda0afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefda60000	0x7fefda84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefdb40000	0x7fefdb53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefdb60000	0x7fefdb9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefddc0000	0x7fefddf5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefde70000	0x7fefde89fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feff1e0000	0x7feff22cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7feff310000	0x7feff4e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff570000	0x7feff608fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feffce0000	0x7feffce7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff96000	0x7fffff96000	0x7fffff97fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff98000	0x7fffff98000	0x7fffff99fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9a000	0x7fffff9a000	0x7fffff9bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\System32\svchost.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #17: logonui.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#17 / 0x308
OS Parent PID	0x19c (c:\windows\system32\winlogon.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\logonui.exe
Command Line	"LogonUI.exe" /flags:0x0
Monitor	Start Time: 00:01:18, Reason: Child Process
Unmonitor	End Time: 00:01:36, Reason: Terminated
Monitor Duration	00:00:18
OS Thread IDs	# 160 0x 30C # 164 0x 31C # 165 0x 320 # 166 0x 324 # 167 0x 328 # 168 0x 32C # 172 0x 344 # 173 0x 348 # 174 0x 34C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x00010fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00020fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x0006ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000170000	0x00170000	0x0019ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001a0000	0x001a0000	0x001a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00230000	0x00296fff	Memory Mapped File	Readable	Region Actions
private_0x00000000002a0000	0x002a0000	0x0039ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003a0000	0x003a0000	0x003a0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003b0000	0x003b0000	0x003b1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003c0000	0x003c0000	0x003c1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003d0000	0x003d0000	0x003d1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003e0000	0x003e0000	0x003e1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003f0000	0x003f0000	0x0046ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000470000	0x00470000	0x00476fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000480000	0x00480000	0x0048ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000490000	0x00490000	0x00617fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000620000	0x00620000	0x007a0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000007b0000	0x007b0000	0x007effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000007f0000	0x007f0000	0x007f1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000800000	0x00800000	0x00801fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000810000	0x00810000	0x00810fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000820000	0x00820000	0x00820fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000830000	0x00830000	0x00830fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000840000	0x00840000	0x00840fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000850000	0x00850000	0x00850fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000860000	0x00860000	0x00860fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000870000	0x00870000	0x008effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008f0000	0x008f0000	0x008f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000900000	0x00900000	0x00900fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000910000	0x00910000	0x00910fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000920000	0x00920000	0x00920fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000930000	0x00930000	0x00930fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000940000	0x00940000	0x009bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000009c0000	0x009c0000	0x009c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000009d0000	0x009d0000	0x009dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000009e0000	0x009e0000	0x009e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000009f0000	0x009f0000	0x009f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a00000	0x00a00000	0x00a00fff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00a10000	0x00cdefff	Memory Mapped File	Readable	Region Actions
private_0x0000000000ce0000	0x00ce0000	0x00d5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d60000	0x00d60000	0x00e5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e60000	0x00e60000	0x00e60fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e70000	0x00e70000	0x00e70fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e80000	0x00e80000	0x00e80fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e90000	0x00e90000	0x00e90fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ea0000	0x00ea0000	0x00ea0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000eb0000	0x00eb0000	0x00eb0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ec0000	0x00ec0000	0x00f3ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000f40000	0x00f40000	0x01332fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001340000	0x01340000	0x01340fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001350000	0x01350000	0x01350fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001360000	0x01360000	0x01360fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001370000	0x01370000	0x01370fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001380000	0x01380000	0x01380fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001390000	0x01390000	0x01390fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013a0000	0x013a0000	0x013a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013b0000	0x013b0000	0x013b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013c0000	0x013c0000	0x013c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013d0000	0x013d0000	0x013d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013e0000	0x013e0000	0x013e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013f0000	0x013f0000	0x013f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001400000	0x01400000	0x01400fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001410000	0x01410000	0x01410fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001420000	0x01420000	0x01420fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001430000	0x01430000	0x01430fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001440000	0x01440000	0x01446fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001450000	0x01450000	0x01459fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001460000	0x01460000	0x01466fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001470000	0x01470000	0x01493fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014a0000	0x014a0000	0x014a9fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014b0000	0x014b0000	0x014b6fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014c0000	0x014c0000	0x014c9fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014d0000	0x014d0000	0x014d6fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014e0000	0x014e0000	0x01517fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001520000	0x01520000	0x01529fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001530000	0x01530000	0x01530fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001540000	0x01540000	0x01540fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001550000	0x01550000	0x01550fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001560000	0x01560000	0x01560fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001570000	0x01570000	0x01570fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001580000	0x01580000	0x01581fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001590000	0x01590000	0x01590fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015a0000	0x015a0000	0x015a1fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015b0000	0x015b0000	0x015b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015c0000	0x015c0000	0x015c1fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015d0000	0x015d0000	0x015d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015e0000	0x015e0000	0x015e1fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015f0000	0x015f0000	0x015f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001600000	0x01600000	0x01600fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001610000	0x01610000	0x01610fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001620000	0x01620000	0x01620fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001630000	0x01630000	0x01630fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001640000	0x01640000	0x01640fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001650000	0x01650000	0x01650fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001660000	0x01660000	0x01660fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001670000	0x01670000	0x01670fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001680000	0x01680000	0x01680fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001690000	0x01690000	0x01690fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016a0000	0x016a0000	0x016a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016b0000	0x016b0000	0x016b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016c0000	0x016c0000	0x016c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016d0000	0x016d0000	0x016d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016e0000	0x016e0000	0x016e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016f0000	0x016f0000	0x016f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001700000	0x01700000	0x01700fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001710000	0x01710000	0x0180ffff	Private Memory	Readable, Writable	Region Actions
imageres.dll	0x01810000	0x02b64fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002b70000	0x02b70000	0x02b70fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b80000	0x02b80000	0x02b91fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002ba0000	0x02ba0000	0x02ba1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002bb0000	0x02bb0000	0x02bb1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002bc0000	0x02bc0000	0x02c3ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002c40000	0x02c40000	0x02c42fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002c50000	0x02c50000	0x02c5ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000002c60000	0x02c60000	0x02cdffff	Private Memory	Readable, Writable	Region Actions
KernelBase.dll.mui	0x02c60000	0x02d1ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000002d20000	0x02d20000	0x02d25fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d30000	0x02d30000	0x02d30fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d40000	0x02d40000	0x02d47fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d50000	0x02d50000	0x02d50fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000002d60000	0x02d60000	0x02d6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002db0000	0x02db0000	0x02e2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002e90000	0x02e90000	0x02f0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f10000	0x02f10000	0x02f8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ff0000	0x02ff0000	0x0306ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000003070000	0x03070000	0x0314efff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000031b0000	0x031b0000	0x0322ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003560000	0x03560000	0x03560fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003570000	0x03570000	0x03570fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003580000	0x03580000	0x0367ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003680000	0x03680000	0x03681fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003690000	0x03690000	0x03b81fff	Private Memory	Readable, Writable	Region Actions
StaticCache.dat	0x03b90000	0x044bffff	Memory Mapped File	Readable	Region Actions
private_0x00000000044c0000	0x044c0000	0x044c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000044d0000	0x044d0000	0x044d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000044e0000	0x044e0000	0x044e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000044f0000	0x044f0000	0x044f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004500000	0x04500000	0x04500fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004510000	0x04510000	0x0470ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004710000	0x04710000	0x04710fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004720000	0x04720000	0x04720fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004730000	0x04730000	0x04730fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004740000	0x04740000	0x04740fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004750000	0x04750000	0x04750fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004760000	0x04760000	0x04760fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004770000	0x04770000	0x04770fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004780000	0x04780000	0x04780fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004790000	0x04790000	0x04790fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000047a0000	0x047a0000	0x047a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000047b0000	0x047b0000	0x047b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000047c0000	0x047c0000	0x047c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000047d0000	0x047d0000	0x047d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000047e0000	0x047e0000	0x047e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000047f0000	0x047f0000	0x047f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004800000	0x04800000	0x04800fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004810000	0x04810000	0x04810fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004820000	0x04820000	0x04820fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004830000	0x04830000	0x04830fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004840000	0x04840000	0x04840fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004850000	0x04850000	0x04850fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004860000	0x04860000	0x04860fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004870000	0x04870000	0x04870fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004880000	0x04880000	0x04880fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004890000	0x04890000	0x04890fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000048a0000	0x048a0000	0x048a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000048b0000	0x048b0000	0x048b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000048c0000	0x048c0000	0x048c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000048d0000	0x048d0000	0x048d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000048e0000	0x048e0000	0x048e6fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000048f0000	0x048f0000	0x048f9fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004900000	0x04900000	0x04906fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004910000	0x04910000	0x04933fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004940000	0x04940000	0x04949fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004950000	0x04950000	0x04956fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004960000	0x04960000	0x04969fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004970000	0x04970000	0x04976fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004980000	0x04980000	0x049b7fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000049c0000	0x049c0000	0x049c9fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000049d0000	0x049d0000	0x049d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000049e0000	0x049e0000	0x049e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000049f0000	0x049f0000	0x049f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a00000	0x04a00000	0x04a00fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a10000	0x04a10000	0x04a10fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a20000	0x04a20000	0x04a21fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a30000	0x04a30000	0x04a30fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a40000	0x04a40000	0x04a41fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a50000	0x04a50000	0x04a50fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a60000	0x04a60000	0x04a61fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a70000	0x04a70000	0x04a70fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a80000	0x04a80000	0x04a81fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a90000	0x04a90000	0x04a90fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004aa0000	0x04aa0000	0x04aa0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004ab0000	0x04ab0000	0x04ab0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004ac0000	0x04ac0000	0x04ac0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004ad0000	0x04ad0000	0x04ad0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004ae0000	0x04ae0000	0x04ae0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004af0000	0x04af0000	0x04af0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004b00000	0x04b00000	0x04b00fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004b10000	0x04b10000	0x04b10fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004b20000	0x04b20000	0x04b20fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004b30000	0x04b30000	0x04b30fff	Private Memory	Readable, Writable	Region Actions
imageres.dll	0x74610000	0x75965fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
LogonUI.exe	0xff510000	0xff51afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rtutils.dll	0x7fefbc20000	0x7fefbc30fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasman.dll	0x7fefbc40000	0x7fefbc5bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasapi32.dll	0x7fefbc60000	0x7fefbcc1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasplap.dll	0x7fefbcd0000	0x7fefbd37fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
certCredProvider.dll	0x7fefbd40000	0x7fefbd62fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x7fefbd70000	0x7fefbd83fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x7fefbd90000	0x7fefbda4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x7fefbdb0000	0x7fefbdbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x7fefbdc0000	0x7fefbdd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vaultcli.dll	0x7fefbde0000	0x7fefbdedfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credui.dll	0x7fefbdf0000	0x7fefbe23fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbio.dll	0x7fefbe30000	0x7fefbe46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
BioCredProv.dll	0x7fefbe50000	0x7fefbe81fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
SmartcardCredentialProvider.dll	0x7fefbe90000	0x7fefbec1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
VaultCredProvider.dll	0x7fefbed0000	0x7fefbee7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefbef0000	0x7fefbf00fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x7fefbf10000	0x7fefbf17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WindowsCodecs.dll	0x7fefbf20000	0x7fefc049fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x7fefc050000	0x7fefc084fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefc090000	0x7fefc0a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
MMDevAPI.dll	0x7fefc0b0000	0x7fefc0fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
hid.dll	0x7fefc100000	0x7fefc10afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
SndVolSSO.dll	0x7fefc110000	0x7fefc14afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
duser.dll	0x7fefc150000	0x7fefc192fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dui70.dll	0x7fefc1a0000	0x7fefc291fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
GdiPlus.dll	0x7fefc2a0000	0x7fefc4b4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc4c0000	0x7fefc515fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc520000	0x7fefc64bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samlib.dll	0x7fefc650000	0x7fefc66cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shacct.dll	0x7fefc670000	0x7fefc693fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefc6a0000	0x7fefc893fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptui.dll	0x7fefc8a0000	0x7fefc9a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
authui.dll	0x7fefc9b0000	0x7fefcb89fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd190000	0x7fefd1d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd490000	0x7fefd4a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netjoin.dll	0x7fefd5a0000	0x7fefd5d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x7fefd960000	0x7fefd982fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefda00000	0x7fefda0afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefda60000	0x7fefda84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefdb40000	0x7fefdb53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefdb60000	0x7fefdb9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefddc0000	0x7fefddf5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefde70000	0x7fefde89fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x7fefdf30000	0x7fefdf69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feff1e0000	0x7feff22cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7feff310000	0x7feff4e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff570000	0x7feff608fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feffce0000	0x7feffce7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\system32\LogonUI.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #18: svchost.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#18 / 0x33c
OS Parent PID	0x1d4 (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Monitor	Start Time: 00:01:20, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:50
OS Thread IDs	# 175 0x 340 # 182 0x 364 # 183 0x 368 # 184 0x 36C # 185 0x 370 # 187 0x 37C # 188 0x 380 # 190 0x 388 # 192 0x 390 # 193 0x 394 # 212 0x 3E4 # 215 0x 3F0 # 217 0x 3FC # 219 0x E8 # 221 0x 10C # 222 0x 11C # 233 0x 184 # 234 0x 170 # 262 0x 418 # 263 0x 41C # 274 0x 454 # 277 0x 460 # 431 0x 6F0 # 435 0x 700 # 437 0x 708 # 438 0x 70C # 440 0x 714 # 472 0x 79C # 473 0x 7A0 # 474 0x 7A4 # 479 0x 7B8 # 486 0x 7D4 # 490 0x 7E4 # 494 0x 7F0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x00010fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00020fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x0006ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000130000	0x00130000	0x001affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001b0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x001c1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001d0000	0x001d0000	0x001d1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001e0000	0x001e0000	0x001e1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001f0000	0x001f0000	0x001f0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000200000	0x00200000	0x00200fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000220000	0x00220000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000260000	0x00260000	0x0035ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000360000	0x00360000	0x0045ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000460000	0x00460000	0x005e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005f0000	0x005f0000	0x00770fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000780000	0x00780000	0x0083ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000840000	0x00840000	0x00c32fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c70000	0x00c70000	0x00c7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ca0000	0x00ca0000	0x00d1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d60000	0x00d60000	0x00ddffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e30000	0x00e30000	0x00eaffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00eb0000	0x0117efff	Memory Mapped File	Readable	Region Actions
private_0x00000000011a0000	0x011a0000	0x0121ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001240000	0x01240000	0x012bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000012c0000	0x012c0000	0x0133ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001360000	0x01360000	0x013dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013c0000	0x013c0000	0x0143ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001450000	0x01450000	0x014cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014d0000	0x014d0000	0x0154ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015a0000	0x015a0000	0x0161ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001630000	0x01630000	0x016affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016d0000	0x016d0000	0x0174ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016d0000	0x016d0000	0x0174ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001760000	0x01760000	0x017dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001800000	0x01800000	0x0187ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001890000	0x01890000	0x0190ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000018a0000	0x018a0000	0x0191ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000018a0000	0x018a0000	0x0191ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000018c0000	0x018c0000	0x0193ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001940000	0x01940000	0x019bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000019f0000	0x019f0000	0x01a6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ae0000	0x01ae0000	0x01b5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001bb0000	0x01bb0000	0x01c2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001bd0000	0x01bd0000	0x01c4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c50000	0x01c50000	0x01ccffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d00000	0x01d00000	0x01d7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d40000	0x01d40000	0x01dbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001dd0000	0x01dd0000	0x01e4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e50000	0x01e50000	0x01ecffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ed0000	0x01ed0000	0x01fcffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ee0000	0x01ee0000	0x01f5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f70000	0x01f70000	0x01feffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ff0000	0x01ff0000	0x01ffffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002000000	0x02000000	0x020fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002100000	0x02100000	0x021fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002250000	0x02250000	0x0225ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000022a0000	0x022a0000	0x0231ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002320000	0x02320000	0x0239ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023e0000	0x023e0000	0x023effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023f0000	0x023f0000	0x024effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002570000	0x02570000	0x0257ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000025e0000	0x025e0000	0x0265ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000026a0000	0x026a0000	0x026affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002760000	0x02760000	0x0276ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002770000	0x02770000	0x0286ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000028f0000	0x028f0000	0x028fffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029d0000	0x029d0000	0x029dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029e0000	0x029e0000	0x02adffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b50000	0x02b50000	0x02bcffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c40000	0x02c40000	0x02cbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c90000	0x02c90000	0x02d0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c90000	0x02c90000	0x02d0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002cc0000	0x02cc0000	0x02d3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d00000	0x02d00000	0x02d7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d30000	0x02d30000	0x02daffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d40000	0x02d40000	0x02dbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d80000	0x02d80000	0x02dfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d90000	0x02d90000	0x02e0ffff	Private Memory	Readable, Writable	Region Actions
sfc.dll	0x75960000	0x75962fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xff1c0000	0xff1cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappcfg.dll	0x7fef6c10000	0x7fef6c53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappcfg.dll	0x7fef6c10000	0x7fef6c53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappcfg.dll	0x7fef6c10000	0x7fef6c53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappcfg.dll	0x7fef6c10000	0x7fef6c53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappcfg.dll	0x7fef6c10000	0x7fef6c53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappcfg.dll	0x7fef6c10000	0x7fef6c53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappcfg.dll	0x7fef6c20000	0x7fef6c63fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappprxy.dll	0x7fef6c60000	0x7fef6c73fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappprxy.dll	0x7fef6c60000	0x7fef6c73fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappprxy.dll	0x7fef6c60000	0x7fef6c73fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappprxy.dll	0x7fef6c60000	0x7fef6c73fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappprxy.dll	0x7fef6c60000	0x7fef6c73fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappprxy.dll	0x7fef6c60000	0x7fef6c73fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappprxy.dll	0x7fef6c70000	0x7fef6c83fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappcfg.dll	0x7fef6c70000	0x7fef6cb3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappcfg.dll	0x7fef6c70000	0x7fef6cb3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappcfg.dll	0x7fef6c70000	0x7fef6cb3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappcfg.dll	0x7fef6c70000	0x7fef6cb3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappcfg.dll	0x7fef6c70000	0x7fef6cb3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
onex.dll	0x7fef6c80000	0x7fef6cbffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
onex.dll	0x7fef6c80000	0x7fef6cbffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
onex.dll	0x7fef6c80000	0x7fef6cbffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
onex.dll	0x7fef6c80000	0x7fef6cbffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
onex.dll	0x7fef6c80000	0x7fef6cbffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
onex.dll	0x7fef6c80000	0x7fef6cbffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanhlp.dll	0x7fef6c90000	0x7fef6cb0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
PortableDeviceConnectApi.dll	0x7fef7940000	0x7fef7956fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wpdbusenum.dll	0x7fef7a90000	0x7fef7ab0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netman.dll	0x7fef7ac0000	0x7fef7b1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wdi.dll	0x7fef7c70000	0x7fef7c88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
hnetcfg.dll	0x7fef7dd0000	0x7fef7e3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemsvc.dll	0x7fef7e40000	0x7fef7e53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemprox.dll	0x7fef80a0000	0x7fef80aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netcfgx.dll	0x7fef8120000	0x7fef81a3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdsapi.dll	0x7fef8250000	0x7fef8276fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fastprox.dll	0x7fef8280000	0x7fef8361fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rtutils.dll	0x7fef8700000	0x7fef8710fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemcomn.dll	0x7fef87c0000	0x7fef8845fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
trkwks.dll	0x7fef8890000	0x7fef88b1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sysmain.dll	0x7fef8920000	0x7fef8acdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sfc_os.dll	0x7fef8c50000	0x7fef8c5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
aepic.dll	0x7fef8c60000	0x7fef8c71fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcasvc.dll	0x7fef8c80000	0x7fef8cb1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscobj.dll	0x7fef9060000	0x7fef909efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
PortableDeviceApi.dll	0x7fef9430000	0x7fef94ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netshell.dll	0x7fef9550000	0x7fef97dafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappcfg.dll	0x7fef9870000	0x7fef98b3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
onex.dll	0x7fef9870000	0x7fef98affff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dot3api.dll	0x7fef9870000	0x7fef9887fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dot3api.dll	0x7fef9870000	0x7fef9887fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappcfg.dll	0x7fef9880000	0x7fef98c3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanhlp.dll	0x7fef9880000	0x7fef98a0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanhlp.dll	0x7fef9880000	0x7fef98a0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanhlp.dll	0x7fef9880000	0x7fef98a0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanhlp.dll	0x7fef9880000	0x7fef98a0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanhlp.dll	0x7fef9880000	0x7fef98a0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanhlp.dll	0x7fef9880000	0x7fef98a0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappcfg.dll	0x7fef9890000	0x7fef98d3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dot3api.dll	0x7fef9890000	0x7fef98a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dot3api.dll	0x7fef9890000	0x7fef98a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dot3api.dll	0x7fef9890000	0x7fef98a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
onex.dll	0x7fef98c0000	0x7fef98fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappprxy.dll	0x7fef98d0000	0x7fef98e3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappprxy.dll	0x7fef98e0000	0x7fef98f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
onex.dll	0x7fef98f0000	0x7fef992ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
onex.dll	0x7fef9900000	0x7fef993ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappprxy.dll	0x7fef9920000	0x7fef9933fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanhlp.dll	0x7fef9930000	0x7fef9950fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanutil.dll	0x7fef9940000	0x7fef9946fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanhlp.dll	0x7fef9940000	0x7fef9960fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanapi.dll	0x7fef9950000	0x7fef996ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanapi.dll	0x7fef9960000	0x7fef997ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanapi.dll	0x7fef9960000	0x7fef997ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanapi.dll	0x7fef9960000	0x7fef997ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanapi.dll	0x7fef9960000	0x7fef997ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanapi.dll	0x7fef9960000	0x7fef997ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanapi.dll	0x7fef9960000	0x7fef997ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanhlp.dll	0x7fef9970000	0x7fef9990fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanutil.dll	0x7fef9970000	0x7fef9976fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanapi.dll	0x7fef9980000	0x7fef999ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanutil.dll	0x7fef9990000	0x7fef9996fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanutil.dll	0x7fef9990000	0x7fef9996fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanutil.dll	0x7fef9990000	0x7fef9996fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanutil.dll	0x7fef9990000	0x7fef9996fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanutil.dll	0x7fef9990000	0x7fef9996fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanutil.dll	0x7fef9990000	0x7fef9996fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappcfg.dll	0x7fef99d0000	0x7fef9a13fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappcfg.dll	0x7fef99f0000	0x7fef9a33fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
onex.dll	0x7fef9a20000	0x7fef9a5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappcfg.dll	0x7fef9a40000	0x7fef9a83fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappprxy.dll	0x7fef9a40000	0x7fef9a53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
onex.dll	0x7fef9a60000	0x7fef9a9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappprxy.dll	0x7fef9a80000	0x7fef9a93fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappprxy.dll	0x7fef9a90000	0x7fef9aa3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanutil.dll	0x7fef9aa0000	0x7fef9aa6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanhlp.dll	0x7fef9aa0000	0x7fef9ac0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
onex.dll	0x7fef9ab0000	0x7fef9aeffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanapi.dll	0x7fef9ab0000	0x7fef9acffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
eappcfg.dll	0x7fef9ad0000	0x7fef9b13fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanhlp.dll	0x7fef9ad0000	0x7fef9af0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanutil.dll	0x7fef9ad0000	0x7fef9ad6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanapi.dll	0x7fef9ae0000	0x7fef9afffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanutil.dll	0x7fef9af0000	0x7fef9af6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanapi.dll	0x7fef9b00000	0x7fef9b1ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasapi32.dll	0x7fef9b20000	0x7fef9b81fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasdlg.dll	0x7fef9b90000	0x7fef9c67fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanhlp.dll	0x7fefa120000	0x7fefa140fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dot3api.dll	0x7fefa130000	0x7fefa147fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasman.dll	0x7fefa150000	0x7fefa16bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mprapi.dll	0x7fefa170000	0x7fefa1a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Apphlpdm.dll	0x7fefa1b0000	0x7fefa1bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wer.dll	0x7fefa720000	0x7fefa79bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxsms.dll	0x7fefb140000	0x7fefb14ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x7fefb350000	0x7fefb3a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb680000	0x7fefb68afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IPHLPAPI.DLL	0x7fefb690000	0x7fefb6b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb740000	0x7fefb74afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dsrole.dll	0x7fefb750000	0x7fefb75bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mstask.dll	0x7fefb770000	0x7fefb7acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskschd.dll	0x7fefb7b0000	0x7fefb8d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb8e0000	0x7fefb8f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x7fefb940000	0x7fefb954fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
PeerDist.dll	0x7fefba30000	0x7fefba5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscsvc.dll	0x7fefba60000	0x7fefbb0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefbb30000	0x7fefbb5cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
avrt.dll	0x7fefbb60000	0x7fefbb68fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
audiosrv.dll	0x7fefbb70000	0x7fefbc1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefbef0000	0x7fefbf00fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
MMDevAPI.dll	0x7fefc0b0000	0x7fefc0fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc520000	0x7fefc64bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefc6a0000	0x7fefc893fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x7fefcb90000	0x7fefcbbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcd60000	0x7fefcd6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcwum.dll	0x7fefcef0000	0x7fefcefcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7fefcf30000	0x7fefcf4afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefcf50000	0x7fefcf6dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devrtl.dll	0x7fefcf70000	0x7fefcf81fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd190000	0x7fefd1d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd490000	0x7fefd4a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
authz.dll	0x7fefd660000	0x7fefd68efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefd6a0000	0x7fefd70cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefda60000	0x7fefda84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefdb40000	0x7fefdb53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefdb60000	0x7fefdb9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefdba0000	0x7fefdbaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefddc0000	0x7fefddf5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefde70000	0x7fefde89fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x7fefdf30000	0x7fefdf69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7fefdf70000	0x7fefecf7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feff1e0000	0x7feff22cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7feff310000	0x7feff4e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff570000	0x7feff608fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x7feff680000	0x7feff6d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feffce0000	0x7feffce7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff8c000	0x7fffff8c000	0x7fffff8dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff8e000	0x7fffff8e000	0x7fffff8ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff90000	0x7fffff90000	0x7fffff91fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff92000	0x7fffff92000	0x7fffff93fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff94000	0x7fffff94000	0x7fffff95fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff94000	0x7fffff94000	0x7fffff95fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff96000	0x7fffff96000	0x7fffff97fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff98000	0x7fffff98000	0x7fffff99fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9a000	0x7fffff9a000	0x7fffff9bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9a000	0x7fffff9a000	0x7fffff9bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\System32\svchost.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #19: svchost.exe

(Host: 13143, Network: 0)

Information	Value
ID / OS PID	#19 / 0x374
OS Parent PID	0x1d4 (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe -k netsvcs
Monitor	Start Time: 00:01:21, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:49
OS Thread IDs	# 186 0x 378 # 189 0x 384 # 191 0x 38C # 194 0x 398 # 195 0x 39C # 196 0x 3A0 # 197 0x 3A4 # 198 0x 3A8 # 199 0x 3AC # 200 0x 3B0 # 201 0x 3B4 # 213 0x 3E8 # 214 0x 3EC # 218 0x C0 # 220 0x 110 # 224 0x 118 # 226 0x 14C # 239 0x 130 # 240 0x 134 # 241 0x 1E8 # 249 0x 37C # 250 0x 3B8 # 290 0x 494 # 293 0x 4A0 # 311 0x 4E0 # 313 0x 4F0 # 314 0x 4F8 # 319 0x 434 # 320 0x 430 # 326 0x 53C # 439 0x 710 # 444 0x 724 # 445 0x 728 # 446 0x 72C # 447 0x 730 # 448 0x 734 # 449 0x 738 # 450 0x 73C # 451 0x 740 # 452 0x 744 # 453 0x 748 # 455 0x 750 # 457 0x 758 # 461 0x 768 # 465 0x 778 # 467 0x 780 # 493 0x 7EC # 495 0x 7F4 # 497 0x 7FC # 498 0x 420 # 501 0x 438 # 504 0x 490 # 506 0x 49C # 510 0x 4B4 # 512 0x 4BC # 513 0x 4D8 # 514 0x 4E4 # 515 0x 370 # 516 0x 4FC # 517 0x 300 # 518 0x 264 # 519 0x 290

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x0006ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000120000	0x00120000	0x00124fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00120fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000130000	0x00130000	0x00130fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00140fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000150000	0x00150000	0x001cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x001d4fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000001d0000	0x001d0000	0x001d0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001e0000	0x001e0000	0x001e1fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x001f0000	0x001f3fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000200000	0x00200000	0x00201fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x00210000	0x00213fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000220000	0x00220000	0x0031ffff	Private Memory	Readable, Writable	Region Actions
{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db	0x00320000	0x0034ffff	Memory Mapped File	Readable	Region Actions
private_0x0000000000350000	0x00350000	0x00354fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000350000	0x00350000	0x00350fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000360000	0x00360000	0x0036ffff	Private Memory	Readable, Writable	Region Actions
FirewallAPI.dll.mui	0x00370000	0x0038bfff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00394fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000003a0000	0x003a0000	0x003affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003b0000	0x003b0000	0x004affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004b0000	0x004b0000	0x00637fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000640000	0x00640000	0x007c0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007d0000	0x007d0000	0x0088ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000890000	0x00890000	0x00c82fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000ce0000	0x00ce0000	0x00d5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000da0000	0x00da0000	0x00e1ffff	Private Memory	Readable, Writable	Region Actions
{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db	0x00e20000	0x00e85fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000e90000	0x00e90000	0x00f0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f60000	0x00f60000	0x00fdffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001010000	0x01010000	0x0110ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x01110000	0x013defff	Memory Mapped File	Readable	Region Actions
private_0x0000000001400000	0x01400000	0x0147ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014a0000	0x014a0000	0x0151ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001520000	0x01520000	0x0159ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015a0000	0x015a0000	0x0161ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001630000	0x01630000	0x016affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016b0000	0x016b0000	0x0172ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001740000	0x01740000	0x017bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001810000	0x01810000	0x0188ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000018c0000	0x018c0000	0x0193ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000018d0000	0x018d0000	0x0194ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000019c0000	0x019c0000	0x01a3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a70000	0x01a70000	0x01aeffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b40000	0x01b40000	0x01b4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b60000	0x01b60000	0x01bdffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b70000	0x01b70000	0x01beffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b90000	0x01b90000	0x01c0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c20000	0x01c20000	0x01c9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001cc0000	0x01cc0000	0x01d3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d40000	0x01d40000	0x01dbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e00000	0x01e00000	0x01e7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e30000	0x01e30000	0x01eaffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ec0000	0x01ec0000	0x01f3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f40000	0x01f40000	0x01fbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001fd0000	0x01fd0000	0x0204ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000020a0000	0x020a0000	0x0211ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002120000	0x02120000	0x0219ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002210000	0x02210000	0x0228ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000022b0000	0x022b0000	0x0232ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002330000	0x02330000	0x023affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023c0000	0x023c0000	0x0243ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002460000	0x02460000	0x024dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024f0000	0x024f0000	0x0256ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002570000	0x02570000	0x0266ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002690000	0x02690000	0x0270ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002710000	0x02710000	0x0278ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002750000	0x02750000	0x027cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000027f0000	0x027f0000	0x0286ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000028a0000	0x028a0000	0x0291ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002990000	0x02990000	0x02a0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a10000	0x02a10000	0x02a8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002aa0000	0x02aa0000	0x02b1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b90000	0x02b90000	0x02c0ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002c10000	0x02c10000	0x02d0ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000002d70000	0x02d70000	0x02deffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002e00000	0x02e00000	0x02e7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002eb0000	0x02eb0000	0x02f2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f60000	0x02f60000	0x02fdffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002fe0000	0x02fe0000	0x030dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003100000	0x03100000	0x0317ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003150000	0x03150000	0x031cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000031d0000	0x031d0000	0x031dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000031e0000	0x031e0000	0x032dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003300000	0x03300000	0x0330ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003310000	0x03310000	0x0340ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003420000	0x03420000	0x0349ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000034e0000	0x034e0000	0x0355ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000035d0000	0x035d0000	0x0364ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003660000	0x03660000	0x036dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003700000	0x03700000	0x0377ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003780000	0x03780000	0x037fffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000038a0000	0x038a0000	0x0391ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003920000	0x03920000	0x0399ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000039c0000	0x039c0000	0x03a3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003a40000	0x03a40000	0x03b3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003b40000	0x03b40000	0x03d3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003d40000	0x03d40000	0x0413ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000041e0000	0x041e0000	0x0425ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004260000	0x04260000	0x04a5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004ac0000	0x04ac0000	0x04b3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004b40000	0x04b40000	0x04bbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004bc0000	0x04bc0000	0x04dbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004e20000	0x04e20000	0x04e9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004ea0000	0x04ea0000	0x04f1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004f20000	0x04f20000	0x04f9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004fa0000	0x04fa0000	0x05f6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005ff0000	0x05ff0000	0x0606ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000060a0000	0x060a0000	0x0611ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000061e0000	0x061e0000	0x0625ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000062a0000	0x062a0000	0x0631ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006360000	0x06360000	0x063dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006420000	0x06420000	0x0649ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006500000	0x06500000	0x0657ffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xff1c0000	0xff1cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
npmproxy.dll	0x7fef7a80000	0x7fef7a8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x7fef7c90000	0x7fef7c97fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
repdrvfs.dll	0x7fef7ca0000	0x7fef7d12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wmiutils.dll	0x7fef7d20000	0x7fef7d45fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netprofm.dll	0x7fef7d50000	0x7fef7dc3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
hnetcfg.dll	0x7fef7dd0000	0x7fef7e3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemsvc.dll	0x7fef7e40000	0x7fef7e53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
esscli.dll	0x7fef7e60000	0x7fef7ecefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemcore.dll	0x7fef7ed0000	0x7fef7ffefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
resutils.dll	0x7fef8000000	0x7fef8018fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clusapi.dll	0x7fef8020000	0x7fef806ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sscore.dll	0x7fef8070000	0x7fef8077fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nci.dll	0x7fef8080000	0x7fef8099fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemprox.dll	0x7fef80a0000	0x7fef80aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
browser.dll	0x7fef80b0000	0x7fef80d4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvsvc.dll	0x7fef80e0000	0x7fef811cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netcfgx.dll	0x7fef8120000	0x7fef81a3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdsapi.dll	0x7fef8250000	0x7fef8276fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fastprox.dll	0x7fef8280000	0x7fef8361fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wdscore.dll	0x7fef8660000	0x7fef86a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sqmapi.dll	0x7fef86b0000	0x7fef86f1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rtutils.dll	0x7fef8700000	0x7fef8710fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpsvc.dll	0x7fef8720000	0x7fef87b1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemcomn.dll	0x7fef87c0000	0x7fef8845fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WMIsvc.dll	0x7fef8850000	0x7fef888ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vssapi.dll	0x7fef8db0000	0x7fef8f5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vsstrace.dll	0x7fef9190000	0x7fef91a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemess.dll	0x7fef99a0000	0x7fef9a1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ncobjapi.dll	0x7fef9a20000	0x7fef9a35fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WmiPrvSD.dll	0x7fef9a40000	0x7fef9afbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskcomp.dll	0x7fefa210000	0x7fefa286fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wiarpc.dll	0x7fefa450000	0x7fefa45efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x7fefa460000	0x7fefa469fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
schedsvc.dll	0x7fefa470000	0x7fefa581fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
actxprxy.dll	0x7fefaaa0000	0x7fefab8dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fvecerts.dll	0x7fefab90000	0x7fefab98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tbs.dll	0x7fefaba0000	0x7fefaba8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fveapi.dll	0x7fefabb0000	0x7fefac05fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shsvcs.dll	0x7fefac10000	0x7fefac6dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x7fefac70000	0x7fefac87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc6.dll	0x7fefac90000	0x7fefaca0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FWPUCLNT.DLL	0x7fefacc0000	0x7fefad12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Sens.dll	0x7fefb660000	0x7fefb673fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb680000	0x7fefb68afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IPHLPAPI.DLL	0x7fefb690000	0x7fefb6b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
es.dll	0x7fefb6c0000	0x7fefb726fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb740000	0x7fefb74afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dsrole.dll	0x7fefb750000	0x7fefb75bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
themeservice.dll	0x7fefb760000	0x7fefb76ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb8e0000	0x7fefb8f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profsvc.dll	0x7fefb900000	0x7fefb936fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x7fefb940000	0x7fefb954fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpsvc.dll	0x7fefb960000	0x7fefba21fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mmcss.dll	0x7fefbb10000	0x7fefbb2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefbb30000	0x7fefbb5cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
avrt.dll	0x7fefbb60000	0x7fefbb68fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x7fefbd70000	0x7fefbd83fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x7fefbd90000	0x7fefbda4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x7fefbdb0000	0x7fefbdbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x7fefbdc0000	0x7fefbdd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefbef0000	0x7fefbf00fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x7fefc050000	0x7fefc084fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc4c0000	0x7fefc515fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc520000	0x7fefc64bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samlib.dll	0x7fefc650000	0x7fefc66cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefc6a0000	0x7fefc893fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcd60000	0x7fefcd6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FirewallAPI.dll	0x7fefcd70000	0x7fefce2afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WSHTCPIP.DLL	0x7fefce30000	0x7fefce36fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcwum.dll	0x7fefcef0000	0x7fefcefcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7fefcf30000	0x7fefcf4afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefcf50000	0x7fefcf6dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devrtl.dll	0x7fefcf70000	0x7fefcf81fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ubpm.dll	0x7fefd020000	0x7fefd058fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefd060000	0x7fefd069fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd190000	0x7fefd1d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
logoncli.dll	0x7fefd280000	0x7fefd2affff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x7fefd2b0000	0x7fefd30afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd420000	0x7fefd426fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd430000	0x7fefd484fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd490000	0x7fefd4a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netjoin.dll	0x7fefd5a0000	0x7fefd5d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
authz.dll	0x7fefd660000	0x7fefd68efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefd6a0000	0x7fefd70cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptdll.dll	0x7fefd710000	0x7fefd723fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x7fefd960000	0x7fefd982fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefda00000	0x7fefda0afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sysntfy.dll	0x7fefda40000	0x7fefda49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefda60000	0x7fefda84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x7fefdaa0000	0x7fefdb30fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefdb40000	0x7fefdb53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefdb60000	0x7fefdb9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefdba0000	0x7fefdbaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefddc0000	0x7fefddf5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefde70000	0x7fefde89fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x7fefdf30000	0x7fefdf69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7fefdf70000	0x7fefecf7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feff1e0000	0x7feff22cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7feff310000	0x7feff4e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff570000	0x7feff608fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x7feff680000	0x7feff6d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feffce0000	0x7feffce7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff50000	0x7fffff50000	0x7fffff51fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff52000	0x7fffff52000	0x7fffff53fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff54000	0x7fffff54000	0x7fffff55fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff56000	0x7fffff56000	0x7fffff57fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff58000	0x7fffff58000	0x7fffff59fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff5a000	0x7fffff5a000	0x7fffff5bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff5c000	0x7fffff5c000	0x7fffff5dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff5e000	0x7fffff5e000	0x7fffff5ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff60000	0x7fffff60000	0x7fffff61fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff62000	0x7fffff62000	0x7fffff63fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff64000	0x7fffff64000	0x7fffff65fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff66000	0x7fffff66000	0x7fffff67fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff68000	0x7fffff68000	0x7fffff69fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff6a000	0x7fffff6a000	0x7fffff6bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff6c000	0x7fffff6c000	0x7fffff6dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff6e000	0x7fffff6e000	0x7fffff6ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff70000	0x7fffff70000	0x7fffff71fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff72000	0x7fffff72000	0x7fffff73fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff74000	0x7fffff74000	0x7fffff75fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff76000	0x7fffff76000	0x7fffff77fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff78000	0x7fffff78000	0x7fffff79fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff7a000	0x7fffff7a000	0x7fffff7bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff7c000	0x7fffff7c000	0x7fffff7dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff7e000	0x7fffff7e000	0x7fffff7ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff80000	0x7fffff80000	0x7fffff81fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff82000	0x7fffff82000	0x7fffff83fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff84000	0x7fffff84000	0x7fffff85fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff86000	0x7fffff86000	0x7fffff87fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff88000	0x7fffff88000	0x7fffff89fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff8a000	0x7fffff8a000	0x7fffff8bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff8c000	0x7fffff8c000	0x7fffff8dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff8e000	0x7fffff8e000	0x7fffff8ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff90000	0x7fffff90000	0x7fffff91fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff92000	0x7fffff92000	0x7fffff93fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff94000	0x7fffff94000	0x7fffff95fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff96000	0x7fffff96000	0x7fffff97fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff98000	0x7fffff98000	0x7fffff99fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9a000	0x7fffff9a000	0x7fffff9bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

File (1380)

Operation	Filename	Additional Information	Success	Count	Logfile
CREATE	\device\000001a9\0d24eb7c\lsash.xp	desired_access = GENERIC_READ, create_disposition = OPEN_EXISTING		690	Fn
DELETE	\device\000001a9\0d24eb7c\lsash.xp			690	Fn

Process (1)

Operation	Process Name	Additional Information	Success	Count	Logfile
CREATE	C:\Windows\SysWOW64\ping.exe 127.0.0.1 -t	os_tid = 0x510, os_pid = 0x50c, show_window = SW_HIDE		1	Fn

Thread (4)

Operation	Count	Logfile
CREATE_WORKITEM	1	Fn
CREATE_WORKITEM	1	Fn
CREATE_WORKITEM	1	Fn
CREATE_WORKITEM	1	Fn

Module (158)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	3	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\system32\svchost.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetNativeSystemInfo, address = 0x77a3b7e0	1	Fn

Registry (1)

Operation	Key	Additional Information	Success	Count	Logfile
READ_VALUE	HKEY_LOCAL_MACHINE\software\classes\http\shell\open\command	data_ident_out = "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome		1	Fn

System (2987)

Operation	Information	Count	Logfile
SLEEP	duration = 180000 milliseconds (180.000 seconds)	690	Fn
SLEEP	duration = 60000 milliseconds (60.000 seconds)	831	Fn
SLEEP	duration = 86400000 milliseconds (86400.000 seconds)	1	Fn
SLEEP	duration = 600000 milliseconds (600.000 seconds)	733	Fn
SLEEP	duration = 300000 milliseconds (300.000 seconds)	1	Fn
SLEEP	duration = 1200000 milliseconds (1200.000 seconds)	731	Fn

Mutex (5067)

Operation	Name	Additional Information	Count	Logfile
CREATE	Global\B10C62E4-234C-4BF6-A1D5-1C0309CED145	initial_owner = 0	1	Fn
CREATE	Global\C3819288-93FA-4E29-A254-BD9476B53C20	initial_owner = 0	1	Fn
CREATE	Global\6C29A0C8-62C6-415C-9538-B87690BC58D2	initial_owner = 0	1	Fn
OPEN	Global\D6E9C81C-3831-4873-96BA-7C98D2DEBEF9	desired_access = SYNCHRONIZE	1	Fn
OPEN	Global\D6E9C81C-3831-4873-96BA-7C98D2DEBEF9	desired_access = SYNCHRONIZE	829	Fn
RELEASE	Global\C3819288-93FA-4E29-A254-BD9476B53C20		3544	Fn
RELEASE	Global\6C29A0C8-62C6-415C-9538-B87690BC58D2		690	Fn

Ini (3545)

Operation	Filename	Additional Information	Count	Logfile
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = cmd, key_name = bsh, default_value = noname, data_out = noname	1	Fn
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = main, key_name = aid, default_value = 10000, data_out = 66671	1	Fn
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = main, key_name = sid, default_value = 0, data_out = 0	1	Fn
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = main, key_name = version, default_value = 0.0, data_out = 0.03	1	Fn
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = main, key_name = installdate, default_value = 0, data_out = 6.12.2016 9:36:14	1	Fn
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = main, key_name = builddate, default_value = 0, data_out = 351	1	Fn
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = main, key_name = rnd, default_value = , data_out =	1	Fn
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = cmd, key_name = nuh, default_value = 0	1	Fn
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = main, key_name = knt, default_value = 0	690	Fn
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = cmd, key_name = dlc_srand, default_value = 0	1422	Fn
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = cmd, key_name = delay, default_value = 3600	690	Fn
READ_SECTION	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	data_out =	733	Fn
WRITE	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = main, key_name = rnd, data = 2040373303	1	Fn
WRITE	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = cmd, key_name = version, data = 0.31	1	Fn

Process #20: audiodg.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#20 / 0x3c4
OS Parent PID	0x2c4 (c:\windows\system32\svchost.exe)
Initial Working Directory	C:\Windows
File Name	c:\windows\system32\audiodg.exe
Command Line	C:\Windows\system32\AUDIODG.EXE 0x2b0
Monitor	Start Time: 00:01:21, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:49
OS Thread IDs	# 205 0x 3C8 # 206 0x 3CC # 208 0x 3D4 # 210 0x 3DC # 211 0x 3E0 # 366 0x 5E8 # 375 0x 60C # 379 0x 618 # 388 0x 63C # 392 0x 64C # 395 0x 660 # 397 0x 65C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x00010fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000020000	0x00020000	0x00021fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x0004ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00056fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable, Writable	Region Actions
audiodg.exe.mui	0x00070000	0x00070fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000a0000	0x000a0000	0x000a0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000b0000	0x000b0000	0x0012ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000130000	0x00130000	0x00131fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000140000	0x00140000	0x00141fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000160000	0x00160000	0x00160fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x00171fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000180000	0x00180000	0x0027ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00280000	0x002e6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000002f0000	0x002f0000	0x003effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x0046ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000470000	0x00470000	0x00470fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000480000	0x00480000	0x0048ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000490000	0x00490000	0x00617fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000620000	0x00620000	0x007a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007b0000	0x007b0000	0x0086ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000870000	0x00870000	0x00871fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000880000	0x00880000	0x008c1fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008d0000	0x008d0000	0x0094ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x009b0000	0x00c7efff	Memory Mapped File	Readable	Region Actions
private_0x0000000000c90000	0x00c90000	0x00d0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e20000	0x00e20000	0x00e9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000eb0000	0x00eb0000	0x00f2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f30000	0x00f30000	0x01332fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001340000	0x01340000	0x01742fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001750000	0x01750000	0x01b42fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001b50000	0x01b50000	0x01f52fff	Private Memory	Readable, Writable	Region Actions
ksuser.dll	0x743b0000	0x743b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
audiodg.exe	0xffb20000	0xffb43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mfplat.dll	0x7fef9f20000	0x7fef9f8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WMALFXGFXDSP.dll	0x7fef9f90000	0x7fefa117fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
AudioSes.dll	0x7fefa1c0000	0x7fefa20efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefbb30000	0x7fefbb5cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
avrt.dll	0x7fefbb60000	0x7fefbb68fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
AUDIOKSE.dll	0x7fefbcf0000	0x7fefbd6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
AudioEng.dll	0x7fefbe40000	0x7fefbeb0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
MMDevAPI.dll	0x7fefc0b0000	0x7fefc0fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc520000	0x7fefc64bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd190000	0x7fefd1d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd490000	0x7fefd4a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefdb40000	0x7fefdb53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefddc0000	0x7fefddf5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefde70000	0x7fefde89fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x7fefdf30000	0x7fefdf69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feff1e0000	0x7feff22cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7feff310000	0x7feff4e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff570000	0x7feff608fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x7feff680000	0x7feff6d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feffce0000	0x7feffce7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x0	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	WININET.dll	base_address = 0x0	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\system32\AUDIODG.EXE		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	Unknown module name	function = InternetOpenA, address = 0x0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	Unknown module name	function = InternetReadFile, address = 0x0	1	Fn
GET_PROC_ADDRESS	Unknown module name	function = HttpQueryInfoW, address = 0x0	1	Fn
GET_PROC_ADDRESS	Unknown module name	function = InternetSetOptionW, address = 0x0	1	Fn
GET_PROC_ADDRESS	Unknown module name	function = InternetQueryOptionW, address = 0x0	1	Fn
GET_PROC_ADDRESS	Unknown module name	function = HttpSendRequestA, address = 0x0	1	Fn
GET_PROC_ADDRESS	Unknown module name	function = HttpOpenRequestA, address = 0x0	1	Fn
GET_PROC_ADDRESS	Unknown module name	function = InternetConnectA, address = 0x0	1	Fn
GET_PROC_ADDRESS	Unknown module name	function = InternetCloseHandle, address = 0x0	1	Fn
GET_PROC_ADDRESS	Unknown module name	function = InternetCrackUrlA, address = 0x0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #21: svchost.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#21 / 0x128
OS Parent PID	0x1d4 (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe -k LocalService
Monitor	Start Time: 00:01:25, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:45
OS Thread IDs	# 223 0x 124 # 225 0x 12C # 227 0x 150 # 230 0x 154 # 231 0x 148 # 235 0x 16C # 238 0x 218 # 268 0x 438 # 378 0x 614 # 468 0x 784 # 469 0x 790 # 470 0x 794 # 475 0x 7A8 # 477 0x 7B0 # 482 0x 7C4 # 491 0x 7E8 # 499 0x 418 # 505 0x 498 # 507 0x 414

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x00010fff	Pagefile Backed Memory	Readable	Region Actions
stdole2.tlb	0x00020000	0x00023fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x0006ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00076fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000080000	0x00080000	0x00081fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000a0000	0x000a0000	0x0019ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001a0000	0x001a0000	0x001a0fff	Private Memory	Readable, Writable	Region Actions
es.dll	0x001b0000	0x001c0fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001d0000	0x001d0000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00250000	0x002b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000002c0000	0x002c0000	0x003bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003c0000	0x003c0000	0x003c1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003e0000	0x003e0000	0x003effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x003fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000400000	0x00400000	0x00587fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000590000	0x00590000	0x00710fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000720000	0x00720000	0x007dffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007e0000	0x007e0000	0x00bd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c00000	0x00c00000	0x00c7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c00000	0x00c00000	0x00c0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ca0000	0x00ca0000	0x00d1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d80000	0x00d80000	0x00dfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e20000	0x00e20000	0x00e9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ef0000	0x00ef0000	0x00f6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001000000	0x01000000	0x0107ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x010a0000	0x0136efff	Memory Mapped File	Readable	Region Actions
private_0x00000000013a0000	0x013a0000	0x0141ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001430000	0x01430000	0x014affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014b0000	0x014b0000	0x015affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015b0000	0x015b0000	0x016affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015f0000	0x015f0000	0x0166ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016b0000	0x016b0000	0x0172ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001730000	0x01730000	0x017affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001790000	0x01790000	0x0180ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001830000	0x01830000	0x018affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000018c0000	0x018c0000	0x0193ffff	Private Memory	Readable, Writable	Region Actions
KernelBase.dll.mui	0x01940000	0x019fffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000001a20000	0x01a20000	0x01a9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001aa0000	0x01aa0000	0x01b1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b80000	0x01b80000	0x01bfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c00000	0x01c00000	0x01cfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d40000	0x01d40000	0x01dbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001eb0000	0x01eb0000	0x01ebffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ee0000	0x01ee0000	0x01f5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002110000	0x02110000	0x0218ffff	Private Memory	Readable, Writable	Region Actions
sfc.dll	0x75960000	0x75962fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xff1c0000	0xff1cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
perftrack.dll	0x7fef79a0000	0x7fef7a77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
npmproxy.dll	0x7fef7a80000	0x7fef7a8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wdi.dll	0x7fef7c70000	0x7fef7c88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netprofm.dll	0x7fef7d50000	0x7fef7dc3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sfc_os.dll	0x7fef8c50000	0x7fef8c5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
aepic.dll	0x7fef8c60000	0x7fef8c71fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
webio.dll	0x7fef90a0000	0x7fef9103fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winhttp.dll	0x7fef9110000	0x7fef9180fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pnrpnsp.dll	0x7fef9b00000	0x7fef9b18fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winrnr.dll	0x7fefa120000	0x7fefa12afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
NapiNSP.dll	0x7fefa130000	0x7fefa144fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wer.dll	0x7fefa720000	0x7fefa79bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsisvc.dll	0x7fefadf0000	0x7fefadf9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb680000	0x7fefb68afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IPHLPAPI.DLL	0x7fefb690000	0x7fefb6b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
es.dll	0x7fefb6c0000	0x7fefb726fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x7fefb940000	0x7fefb954fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefc090000	0x7fefc0a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcd60000	0x7fefcd6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7fefcf30000	0x7fefcf4afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefd060000	0x7fefd069fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd190000	0x7fefd1d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x7fefd2b0000	0x7fefd30afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd430000	0x7fefd484fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd490000	0x7fefd4a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefda00000	0x7fefda0afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefda60000	0x7fefda84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x7fefdaa0000	0x7fefdb30fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefdb40000	0x7fefdb53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feff1e0000	0x7feff22cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff570000	0x7feff608fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feffce0000	0x7feffce7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\system32\svchost.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #22: dllhost.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#22 / 0x21c
OS Parent PID	0x250 (c:\windows\system32\svchost.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\dllhost.exe
Command Line	C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
Monitor	Start Time: 00:01:26, Reason: Child Process
Unmonitor	End Time: 00:01:35, Reason: Terminated
Monitor Duration	00:00:09
OS Thread IDs	# 242 0x 214 # 243 0x 264 # 244 0x 290 # 245 0x 2B0 # 246 0x 300 # 247 0x 370 # 248 0x 38C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x00010fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00020fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x0012ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000130000	0x00130000	0x00133fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000140000	0x00140000	0x00140fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000150000	0x00150000	0x0015ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
locale.nls	0x00160000	0x001c6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000001d0000	0x001d0000	0x0028ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000290000	0x00290000	0x00290fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002b0000	0x002b0000	0x002b0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000002c0000	0x002c0000	0x003bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004b0000	0x004b0000	0x004bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004c0000	0x004c0000	0x005bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005c0000	0x005c0000	0x00747fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000750000	0x00750000	0x008d0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000960000	0x00960000	0x00a5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ad0000	0x00ad0000	0x00b4ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00b50000	0x00e1efff	Memory Mapped File	Readable	Region Actions
private_0x0000000000e80000	0x00e80000	0x00f7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f80000	0x00f80000	0x0107ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000010c0000	0x010c0000	0x011bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011f0000	0x011f0000	0x012effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001420000	0x01420000	0x0151ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016b0000	0x016b0000	0x016bffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
dllhost.exe	0xff6f0000	0xff6f6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IDStore.dll	0x7fefb5a0000	0x7fefb5b1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefb5c0000	0x7fefb65ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefbb30000	0x7fefbb5cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samlib.dll	0x7fefc650000	0x7fefc66cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shacct.dll	0x7fefc670000	0x7fefc693fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefcf50000	0x7fefcf6dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd190000	0x7fefd1d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd490000	0x7fefd4a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefdb40000	0x7fefdb53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefdba0000	0x7fefdbaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7fefdf70000	0x7fefecf7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff570000	0x7feff608fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x7feff680000	0x7feff6d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\system32\DllHost.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #23: userinit.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#23 / 0x3bc
OS Parent PID	0x19c (c:\windows\system32\winlogon.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\userinit.exe
Command Line	C:\Windows\system32\userinit.exe
Monitor	Start Time: 00:01:28, Reason: Child Process
Unmonitor	End Time: 00:02:05, Reason: Terminated
Monitor Duration	00:00:37
OS Thread IDs	# 251 0x 3EC # 434 0x 6FC # 436 0x 704

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x0006ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x0010ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x0036ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003c0000	0x003c0000	0x004bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004c0000	0x004c0000	0x00647fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000650000	0x00650000	0x007d0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007e0000	0x007e0000	0x01bdffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001be0000	0x01be0000	0x01fd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002050000	0x02050000	0x020cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002160000	0x02160000	0x021dffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x021e0000	0x024aefff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000024b0000	0x024b0000	0x0258efff	Pagefile Backed Memory	Readable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
userinit.exe	0xff100000	0xff10bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefc090000	0x7fefc0a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc4c0000	0x7fefc515fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefcf50000	0x7fefcf6dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefdba0000	0x7fefdbaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\system32\userinit.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #24: explorer.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#24 / 0x140
OS Parent PID	0x3bc (c:\windows\system32\userinit.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\explorer.exe
Command Line	C:\Windows\Explorer.EXE
Monitor	Start Time: 00:01:28, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:42
OS Thread IDs	# 252 0x 1C8 # 253 0x 148 # 254 0x 130 # 256 0x 38C # 257 0x 404 # 258 0x 408 # 259 0x 40C # 260 0x 410 # 261 0x 414 # 294 0x 4A4 # 295 0x 4A8 # 296 0x 4B0 # 297 0x 4B4 # 299 0x 4BC # 300 0x 4C0 # 301 0x 4C4 # 302 0x 4C8 # 303 0x 4CC # 304 0x 4D8 # 305 0x 4DC # 308 0x 4E4 # 309 0x 4E8 # 310 0x 4EC # 312 0x 4F4 # 318 0x 51C # 321 0x 520 # 323 0x 52C # 334 0x 564 # 357 0x 5C4 # 362 0x 5D8 # 376 0x 610 # 383 0x 628 # 385 0x 630 # 389 0x 640 # 393 0x 650 # 394 0x 654 # 402 0x 674 # 404 0x 67C # 405 0x 680 # 411 0x 69C # 433 0x 6F8 # 520 0x 2B0 # 535 0x 308

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x00010fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00021fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x0006ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000080000	0x00080000	0x00086fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000090000	0x00090000	0x00091fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000a0000	0x000a0000	0x000a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000b0000	0x000b0000	0x0012ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00130000	0x00196fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001a0000	0x001a0000	0x001a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001f0000	0x001f0000	0x001f0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000200000	0x00200000	0x00201fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x0021ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000220000	0x00220000	0x00231fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000240000	0x00240000	0x00240fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000260000	0x00260000	0x00271fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000280000	0x00280000	0x00281fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000290000	0x00290000	0x00290fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002b0000	0x002b0000	0x002b1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002c0000	0x002c0000	0x002c1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000002d0000	0x002d0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003d0000	0x003d0000	0x004cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004d0000	0x004d0000	0x00657fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000660000	0x00660000	0x007e0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007f0000	0x007f0000	0x01beffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001bf0000	0x01bf0000	0x01fe2fff	Pagefile Backed Memory	Readable	Region Actions
comctl32.dll.mui	0x01ff0000	0x01ff2fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000002000000	0x02000000	0x02000fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002010000	0x02010000	0x0201ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002020000	0x02020000	0x02020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002030000	0x02030000	0x020affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000020b0000	0x020b0000	0x020b8fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000020c0000	0x020c0000	0x020c7fff	Private Memory	Readable, Writable	Region Actions
{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000009.db	0x020d0000	0x020e5fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000020f0000	0x020f0000	0x020f0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cversions.2.db	0x02100000	0x02103fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002110000	0x02110000	0x0218ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002190000	0x02190000	0x0220ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002210000	0x02210000	0x022eefff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000022f0000	0x022f0000	0x023effff	Private Memory	Readable, Writable	Region Actions
cversions.2.db	0x022f0000	0x022f3fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002300000	0x02300000	0x02301fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002310000	0x02310000	0x0238ffff	Private Memory	Readable, Writable	Region Actions
{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db	0x02390000	0x023bffff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000023c0000	0x023c0000	0x023c1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000023d0000	0x023d0000	0x023d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023e0000	0x023e0000	0x023e3fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023f0000	0x023f0000	0x024a7fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024b0000	0x024b0000	0x024b3fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024c0000	0x024c0000	0x024c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024d0000	0x024d0000	0x024d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024e0000	0x024e0000	0x024e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024f0000	0x024f0000	0x024f0fff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x02500000	0x027cefff	Memory Mapped File	Readable	Region Actions
private_0x00000000027d0000	0x027d0000	0x02949fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002950000	0x02950000	0x02950fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002960000	0x02960000	0x029dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029e0000	0x029e0000	0x029e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029f0000	0x029f0000	0x02a6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a70000	0x02a70000	0x02b6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b70000	0x02b70000	0x02c6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c70000	0x02c70000	0x02e6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c70000	0x02c70000	0x02ceffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002cf0000	0x02cf0000	0x02deffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002cf0000	0x02cf0000	0x02d2ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002cf0000	0x02cf0000	0x02cf1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002d00000	0x02d00000	0x02d01fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002d10000	0x02d10000	0x02d11fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002d20000	0x02d20000	0x02d21fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002d30000	0x02d30000	0x02daffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002db0000	0x02db0000	0x02db1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002df0000	0x02df0000	0x02e6ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002e70000	0x02e70000	0x031b2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000031c0000	0x031c0000	0x031c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000031d0000	0x031d0000	0x031d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000031e0000	0x031e0000	0x031e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000031f0000	0x031f0000	0x031f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003200000	0x03200000	0x0327ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003280000	0x03280000	0x03280fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003290000	0x03290000	0x03290fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000032a0000	0x032a0000	0x032a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000032b0000	0x032b0000	0x032b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000032c0000	0x032c0000	0x0333ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003340000	0x03340000	0x0336ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003340000	0x03340000	0x03340fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003350000	0x03350000	0x03353fff	Private Memory	Readable, Writable	Region Actions
thumbcache_1024.db	0x03360000	0x03360fff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x0000000003370000	0x03370000	0x03371fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000003380000	0x03380000	0x03381fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x03390000	0x03393fff	Memory Mapped File	Readable	Region Actions
private_0x00000000033a0000	0x033a0000	0x0341ffff	Private Memory	Readable, Writable	Region Actions
{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db	0x03420000	0x03420fff	Memory Mapped File	Readable	Region Actions
thumbcache_sr.db	0x03430000	0x03430fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000003440000	0x03440000	0x034bffff	Private Memory	Readable, Writable	Region Actions
StaticCache.dat	0x034c0000	0x03deffff	Memory Mapped File	Readable	Region Actions
private_0x0000000003df0000	0x03df0000	0x03e6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003e30000	0x03e30000	0x03eaffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003e70000	0x03e70000	0x03ebffff	Private Memory	Readable, Writable	Region Actions
thumbcache_idx.db	0x03ec0000	0x03ec0fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000003ed0000	0x03ed0000	0x03f4ffff	Private Memory	Readable, Writable	Region Actions
{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db	0x03f50000	0x03fb5fff	Memory Mapped File	Readable	Region Actions
private_0x0000000003fc0000	0x03fc0000	0x03fc1fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000003fd0000	0x03fd0000	0x03fd1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000003fe0000	0x03fe0000	0x0405ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004060000	0x04060000	0x040dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000040e0000	0x040e0000	0x0415ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004160000	0x04160000	0x041a7fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000041b0000	0x041b0000	0x041e2fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000041f0000	0x041f0000	0x041f0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000004200000	0x04200000	0x0427ffff	Private Memory	Readable, Writable	Region Actions
wdmaud.drv.mui	0x04280000	0x04280fff	Memory Mapped File	Readable, Writable	Region Actions
MMDevAPI.dll.mui	0x04290000	0x04290fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000042a0000	0x042a0000	0x042a1fff	Private Memory	Readable, Writable	Region Actions
thumbcache_1024.db	0x042b0000	0x042b0fff	Memory Mapped File	Readable, Writable	Region Actions
thumbcache_sr.db	0x042c0000	0x042c0fff	Memory Mapped File	Readable, Writable	Region Actions
thumbcache_idx.db	0x042d0000	0x042d0fff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x00000000042e0000	0x042e0000	0x042e1fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x042f0000	0x042f3fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000004300000	0x04300000	0x04301fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000004310000	0x04310000	0x0438ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004390000	0x04390000	0x04390fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000043a0000	0x043a0000	0x0441ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004420000	0x04420000	0x0461ffff	Private Memory	Readable, Writable	Region Actions
TranscodedWallpaper.jpg	0x04620000	0x046bcfff	Memory Mapped File	Readable	Region Actions
private_0x0000000004620000	0x04620000	0x0469ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000046a0000	0x046a0000	0x046a0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000046b0000	0x046b0000	0x046b1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000046c0000	0x046c0000	0x04d57fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000046c0000	0x046c0000	0x046c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000046d0000	0x046d0000	0x046d1fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000046e0000	0x046e0000	0x0475ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000047c0000	0x047c0000	0x047cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000047f0000	0x047f0000	0x0486ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000048b0000	0x048b0000	0x0492ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004940000	0x04940000	0x049bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a00000	0x04a00000	0x04a7ffff	Private Memory	Readable, Writable	Region Actions
thumbcache_32.db	0x04a80000	0x04b7ffff	Memory Mapped File	Readable, Writable	Region Actions
thumbcache_96.db	0x04b80000	0x04c7ffff	Memory Mapped File	Readable, Writable	Region Actions
thumbcache_256.db	0x04c80000	0x04d7ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000004da0000	0x04da0000	0x04e1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004e20000	0x04e20000	0x05222fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004ee0000	0x04ee0000	0x05577fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005260000	0x05260000	0x052dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000052b0000	0x052b0000	0x0532ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000052f0000	0x052f0000	0x0536ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000053a0000	0x053a0000	0x0541ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005420000	0x05420000	0x0551ffff	Private Memory	Readable, Writable	Region Actions
KernelBase.dll.mui	0x05420000	0x054dffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000005490000	0x05490000	0x0550ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005500000	0x05500000	0x0557ffff	Private Memory	Readable, Writable	Region Actions
thumbcache_32.db	0x05580000	0x0567ffff	Memory Mapped File	Readable, Writable	Region Actions
thumbcache_96.db	0x05680000	0x0577ffff	Memory Mapped File	Readable, Writable	Region Actions
thumbcache_256.db	0x05780000	0x0587ffff	Memory Mapped File	Readable, Writable	Region Actions
imageres.dll	0x05880000	0x06bd4fff	Memory Mapped File	Readable	Region Actions
private_0x0000000006cf0000	0x06cf0000	0x06cfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006d90000	0x06d90000	0x06e0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006e40000	0x06e40000	0x06ebffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006f10000	0x06f10000	0x06f8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006f90000	0x06f90000	0x0700ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007030000	0x07030000	0x070affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007260000	0x07260000	0x0726ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007270000	0x07270000	0x0756ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007700000	0x07700000	0x0777ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000078f0000	0x078f0000	0x0796ffff	Private Memory	Readable, Writable	Region Actions
ksuser.dll	0x743b0000	0x743b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imageres.dll	0x74610000	0x75965fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FXSRESM.dll	0x75870000	0x75952fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
explorer.exe	0xffec0000	0x10017ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bthprops.cpl	0x7fef7880000	0x7fef7934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mlang.dll	0x7fef79b0000	0x7fef79eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleacc.dll	0x7fef79f0000	0x7fef7a43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ieframe.dll	0x7fef7a50000	0x7fef8606fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
npmproxy.dll	0x7fef7a80000	0x7fef7a8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netprofm.dll	0x7fef7d50000	0x7fef7dc3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
provsvc.dll	0x7fef81b0000	0x7fef81e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
hgcpl.dll	0x7fef81f0000	0x7fef8244fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imapi2.dll	0x7fef83b0000	0x7fef842efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
SyncCenter.dll	0x7fef8430000	0x7fef865afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
webcheck.dll	0x7fef8610000	0x7fef8659fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srchadmin.dll	0x7fef88c0000	0x7fef8917fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FXSAPI.dll	0x7fef8ad0000	0x7fef8b6cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FXSST.dll	0x7fef8b70000	0x7fef8c46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ActionCenter.dll	0x7fef8f90000	0x7fef9051fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscobj.dll	0x7fef9060000	0x7fef909efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
webio.dll	0x7fef90a0000	0x7fef9103fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winhttp.dll	0x7fef9110000	0x7fef9180fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ncsi.dll	0x7fef9190000	0x7fef91c7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
QUTIL.DLL	0x7fef91d0000	0x7fef91eefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pnidui.dll	0x7fef91f0000	0x7fef93acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
AltTab.dll	0x7fef93b0000	0x7fef93bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WWanAPI.dll	0x7fef93d0000	0x7fef942dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
PortableDeviceApi.dll	0x7fef9430000	0x7fef94ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
PortableDeviceTypes.dll	0x7fef94f0000	0x7fef9528fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WPDShServiceObj.dll	0x7fef9530000	0x7fef954ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netshell.dll	0x7fef9550000	0x7fef97dafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ehSSO.dll	0x7fef97e0000	0x7fef97eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
DXP.dll	0x7fef97f0000	0x7fef9863fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
QAGENT.DLL	0x7fef9910000	0x7fef9954fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanapi.dll	0x7fef9960000	0x7fef997ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wwapi.dll	0x7fef9980000	0x7fef998cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanutil.dll	0x7fef9990000	0x7fef9996fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x7fef9d40000	0x7fef9db0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
prnfldr.dll	0x7fef9dc0000	0x7fef9e28fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
AudioSes.dll	0x7fefa1c0000	0x7fefa20efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
networkexplorer.dll	0x7fefa290000	0x7fefa42bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
thumbcache.dll	0x7fefa430000	0x7fefa44efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tiptsf.dll	0x7fefa590000	0x7fefa60efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msls31.dll	0x7fefa610000	0x7fefa64afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msftedit.dll	0x7fefa650000	0x7fefa715fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wer.dll	0x7fefa720000	0x7fefa79bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gameux.dll	0x7fefa7a0000	0x7fefaa42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
linkinfo.dll	0x7fefaa50000	0x7fefaa5bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shdocvw.dll	0x7fefaa60000	0x7fefaa93fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
actxprxy.dll	0x7fefaaa0000	0x7fefab8dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x7fefac70000	0x7fefac87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc6.dll	0x7fefac90000	0x7fefaca0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FWPUCLNT.DLL	0x7fefacc0000	0x7fefad12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
timedate.cpl	0x7fefb150000	0x7fefb1d2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IconCodecService.dll	0x7fefb1e0000	0x7fefb1e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntshrui.dll	0x7fefb1f0000	0x7fefb26ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscapi.dll	0x7fefb270000	0x7fefb27efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscdll.dll	0x7fefb280000	0x7fefb28bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscui.dll	0x7fefb290000	0x7fefb30dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
EhStorShell.dll	0x7fefb310000	0x7fefb344fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x7fefb350000	0x7fefb3a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ExplorerFrame.dll	0x7fefb3b0000	0x7fefb579fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Syncreg.dll	0x7fefb5a0000	0x7fefb5b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wdmaud.drv	0x7fefb5e0000	0x7fefb61afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x7fefb620000	0x7fefb65afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb680000	0x7fefb68afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IPHLPAPI.DLL	0x7fefb690000	0x7fefb6b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
es.dll	0x7fefb6c0000	0x7fefb726fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb740000	0x7fefb74afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskschd.dll	0x7fefb7b0000	0x7fefb8d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb8e0000	0x7fefb8f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x7fefb940000	0x7fefb954fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefbb30000	0x7fefbb5cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
avrt.dll	0x7fefbb60000	0x7fefbb68fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
batmeter.dll	0x7fefbc30000	0x7fefbce9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x7fefbd70000	0x7fefbd83fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x7fefbd90000	0x7fefbda4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x7fefbdb0000	0x7fefbdbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
stobject.dll	0x7fefbdf0000	0x7fefbe32fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
midimap.dll	0x7fefbec0000	0x7fefbec8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msacm32.dll	0x7fefbed0000	0x7fefbee7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefbef0000	0x7fefbf00fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msacm32.drv	0x7fefbf10000	0x7fefbf19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WindowsCodecs.dll	0x7fefbf20000	0x7fefc049fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x7fefc050000	0x7fefc084fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefc090000	0x7fefc0a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
MMDevAPI.dll	0x7fefc0b0000	0x7fefc0fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
hid.dll	0x7fefc100000	0x7fefc10afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
SndVolSSO.dll	0x7fefc110000	0x7fefc14afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
duser.dll	0x7fefc150000	0x7fefc192fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dui70.dll	0x7fefc1a0000	0x7fefc291fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
GdiPlus.dll	0x7fefc2a0000	0x7fefc4b4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc4c0000	0x7fefc515fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc520000	0x7fefc64bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samlib.dll	0x7fefc650000	0x7fefc66cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shacct.dll	0x7fefc670000	0x7fefc693fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefc6a0000	0x7fefc893fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptui.dll	0x7fefc8a0000	0x7fefc9a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
authui.dll	0x7fefc9b0000	0x7fefcb89fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x7fefcb90000	0x7fefcbbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcd60000	0x7fefcd6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefcf50000	0x7fefcf6dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefd060000	0x7fefd069fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd190000	0x7fefd1d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd490000	0x7fefd4a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefd6a0000	0x7fefd70cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x7fefd960000	0x7fefd982fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefda00000	0x7fefda0afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefda60000	0x7fefda84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x7fefdaa0000	0x7fefdb30fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefdb40000	0x7fefdb53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefdb60000	0x7fefdb9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefdba0000	0x7fefdbaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefddc0000	0x7fefddf5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefde70000	0x7fefde89fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x7fefdf30000	0x7fefdf69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7fefdf70000	0x7fefecf7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feff1e0000	0x7feff22cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7feff310000	0x7feff4e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff570000	0x7feff608fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x7feff680000	0x7feff6d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feffce0000	0x7feffce7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff7e000	0x7fffff7e000	0x7fffff7ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff80000	0x7fffff80000	0x7fffff81fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff82000	0x7fffff82000	0x7fffff83fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff84000	0x7fffff84000	0x7fffff85fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff86000	0x7fffff86000	0x7fffff87fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff88000	0x7fffff88000	0x7fffff89fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff8a000	0x7fffff8a000	0x7fffff8bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff8c000	0x7fffff8c000	0x7fffff8dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff8e000	0x7fffff8e000	0x7fffff8ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff90000	0x7fffff90000	0x7fffff91fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff92000	0x7fffff92000	0x7fffff93fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff92000	0x7fffff92000	0x7fffff93fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff94000	0x7fffff94000	0x7fffff95fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff96000	0x7fffff96000	0x7fffff97fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff98000	0x7fffff98000	0x7fffff99fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9a000	0x7fffff9a000	0x7fffff9bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\Explorer.EXE		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #25: dwm.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#25 / 0x424
OS Parent PID	0x33c (c:\windows\system32\svchost.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\dwm.exe
Command Line	"C:\Windows\system32\Dwm.exe"
Monitor	Start Time: 00:01:29, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:41
OS Thread IDs	# 265 0x 428 # 267 0x 43C # 269 0x 440 # 270 0x 448 # 272 0x 44C # 541 0x 5C0 # 542 0x 550

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x0006ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000210000	0x00210000	0x0030ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000370000	0x00370000	0x0046ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000470000	0x00470000	0x005f7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000600000	0x00600000	0x00780fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000790000	0x00790000	0x01b8ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001b90000	0x01b90000	0x01f82fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002130000	0x02130000	0x0213ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002310000	0x02310000	0x0238ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002510000	0x02510000	0x0258ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x02870000	0x02b3efff	Memory Mapped File	Readable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
dwm.exe	0xffce0000	0xffd02fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dxgi.dll	0x7fefae20000	0x7fefaec6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10_1core.dll	0x7fefaed0000	0x7fefaf24fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10_1.dll	0x7fefaf30000	0x7fefaf63fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmcore.dll	0x7fefaf70000	0x7fefb101fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmredir.dll	0x7fefb110000	0x7fefb136fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WindowsCodecs.dll	0x7fefbf20000	0x7fefc049fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefc090000	0x7fefc0a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc4c0000	0x7fefc515fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcd60000	0x7fefcd6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\system32\Dwm.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #26: svchost.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#26 / 0x458
OS Parent PID	0x1d4 (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe -k NetworkService
Monitor	Start Time: 00:01:29, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:41
OS Thread IDs	# 275 0x 45C # 278 0x 464 # 280 0x 46C # 281 0x 470 # 282 0x 474 # 283 0x 478 # 286 0x 484 # 287 0x 488 # 288 0x 48C # 289 0x 490 # 291 0x 498 # 292 0x 49C # 306 0x 4B8 # 331 0x 554 # 407 0x 688 # 414 0x 6A8 # 415 0x 6AC # 416 0x 6B4 # 418 0x 6BC # 419 0x 6C0 # 424 0x 6D4 # 425 0x 6D8 # 426 0x 6DC # 427 0x 6E0 # 487 0x 6B0 # 488 0x 7D8 # 508 0x 4A8 # 509 0x 4B0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000010000	0x00010000	0x0001ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00020fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x0006ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00120fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000130000	0x00130000	0x00130fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x001cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000260000	0x00260000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002a0000	0x002a0000	0x0039ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003a0000	0x003a0000	0x0049ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004a0000	0x004a0000	0x00627fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000630000	0x00630000	0x007b0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007c0000	0x007c0000	0x0087ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000880000	0x00880000	0x00c72fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000cb0000	0x00cb0000	0x00d2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d90000	0x00d90000	0x00e0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e30000	0x00e30000	0x00eaffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00ec0000	0x0118efff	Memory Mapped File	Readable	Region Actions
private_0x00000000011d0000	0x011d0000	0x0124ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001270000	0x01270000	0x012effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001310000	0x01310000	0x0138ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001390000	0x01390000	0x0148ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001420000	0x01420000	0x0149ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001490000	0x01490000	0x0150ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001530000	0x01530000	0x015affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015c0000	0x015c0000	0x0163ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001670000	0x01670000	0x016effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016f0000	0x016f0000	0x0176ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001770000	0x01770000	0x017effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001830000	0x01830000	0x018affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001950000	0x01950000	0x019cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000019d0000	0x019d0000	0x01a4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001aa0000	0x01aa0000	0x01b1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ae0000	0x01ae0000	0x01b5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b30000	0x01b30000	0x01b3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c10000	0x01c10000	0x01c1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c20000	0x01c20000	0x01d1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d20000	0x01d20000	0x01e1ffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xff1c0000	0xff1cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ssdpapi.dll	0x7fef8cc0000	0x7fef8cd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ncsi.dll	0x7fef8cf0000	0x7fef8d27fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlasvc.dll	0x7fef8d30000	0x7fef8d7dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vssapi.dll	0x7fef8db0000	0x7fef8f5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsvc.dll	0x7fef8f60000	0x7fef8f8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
webio.dll	0x7fef90a0000	0x7fef9103fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winhttp.dll	0x7fef9110000	0x7fef9180fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vsstrace.dll	0x7fef9190000	0x7fef91a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkssvc.dll	0x7fef91b0000	0x7fef91cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x7fefac70000	0x7fefac87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc6.dll	0x7fefac90000	0x7fefaca0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsext.dll	0x7fefacb0000	0x7fefacb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FWPUCLNT.DLL	0x7fefacc0000	0x7fefad12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsrslvr.dll	0x7fefad20000	0x7fefad4ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb680000	0x7fefb68afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IPHLPAPI.DLL	0x7fefb690000	0x7fefb6b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
es.dll	0x7fefb6c0000	0x7fefb726fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb8e0000	0x7fefb8f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x7fefbd70000	0x7fefbd83fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x7fefbdb0000	0x7fefbdbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc520000	0x7fefc64bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samlib.dll	0x7fefc650000	0x7fefc66cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WSHTCPIP.DLL	0x7fefce30000	0x7fefce36fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7fefcf30000	0x7fefcf4afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefcf50000	0x7fefcf6dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefd060000	0x7fefd069fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd190000	0x7fefd1d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x7fefd2b0000	0x7fefd30afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd420000	0x7fefd426fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd430000	0x7fefd484fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd490000	0x7fefd4a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netjoin.dll	0x7fefd5a0000	0x7fefd5d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefd6a0000	0x7fefd70cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefda00000	0x7fefda0afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefda60000	0x7fefda84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefdb40000	0x7fefdb53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefdba0000	0x7fefdbaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefddc0000	0x7fefddf5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feff1e0000	0x7feff22cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff570000	0x7feff608fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feffce0000	0x7feffce7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\system32\svchost.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #27: runonce.exe

(Host: 210, Network: 0)

Information	Value
ID / OS PID	#27 / 0x4d0
OS Parent PID	0x140 (c:\windows\explorer.exe)
Initial Working Directory	C:\Windows\SysWOW64
File Name	c:\windows\syswow64\runonce.exe
Command Line	C:\Windows\SysWOW64\runonce.exe /Run6432
Monitor	Start Time: 00:01:31, Reason: Child Process
Unmonitor	End Time: 00:01:39, Reason: Terminated
Monitor Duration	00:00:08
OS Thread IDs	# 307 0x 4D4 # 327 0x 540 # 330 0x 550 # 356 0x 5C0 # 367 0x 5EC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x00010fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00021fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x000affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000b0000	0x000b0000	0x000bffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
runonce.exe.mui	0x000f0000	0x000f0fff	Memory Mapped File	Readable, Writable	Region Actions
runonce.exe	0x00100000	0x0010efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
locale.nls	0x00110000	0x00176fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000180000	0x00180000	0x00180fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x00190fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x001c0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001e0000	0x001e0000	0x001e0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000230000	0x00230000	0x003b7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003c0000	0x003c0000	0x0043ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000440000	0x00440000	0x005c0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005d0000	0x005d0000	0x006cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006d0000	0x006d0000	0x01acffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001ad0000	0x01ad0000	0x01b03fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b10000	0x01b10000	0x01b4ffff	Private Memory	Readable, Writable	Region Actions
{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000009.db	0x01b50000	0x01b65fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001bd0000	0x01bd0000	0x01c0ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001c10000	0x01c10000	0x01ceefff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001d00000	0x01d00000	0x01d3ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x01d90000	0x0205efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002130000	0x02130000	0x0216ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000021f0000	0x021f0000	0x0222ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002230000	0x02230000	0x0226ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002270000	0x02270000	0x0236ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002370000	0x02370000	0x02762fff	Pagefile Backed Memory	Readable	Region Actions
comctl32.dll	0x743c0000	0x7455dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74560000	0x74567fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74570000	0x745cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x745d0000	0x7460efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75780000	0x7578afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x75790000	0x757b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x757f0000	0x758e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x758f0000	0x7596ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75980000	0x7598bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75990000	0x759effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75a80000	0x75b7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75b80000	0x75c9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x75ca0000	0x75d3cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x75d40000	0x75d51fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75d60000	0x75ebbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75ec0000	0x75fb4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75fc0000	0x7606bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x76070000	0x7620cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76210000	0x76266fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76300000	0x7640ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x76440000	0x764c2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x764d0000	0x764dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x764e0000	0x76506fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76510000	0x765fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76600000	0x76609fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x76610000	0x77259fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x772d0000	0x7736ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77370000	0x77388fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x77390000	0x7741ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77420000	0x7747ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x77480000	0x774c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x77510000	0x7770afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x77710000	0x777dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x777e0000	0x77915fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x77920000	0x77949fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x77950000	0x779defff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x779e0000	0x77a24fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077a30000	0x77a30000	0x77b4efff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000077b50000	0x77b50000	0x77c49fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77e30000	0x77faffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

Module (210)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32.DLL	base_address = 0x76300000	2	Fn
LOAD	ADVAPI32.dll	base_address = 0x772d0000	2	Fn
LOAD	imagehlp.dll	base_address = 0x77920000	2	Fn
LOAD	ntdll.dll	base_address = 0x77e30000	2	Fn
LOAD	ole32.dll	base_address = 0x75d60000	2	Fn
LOAD	SHELL32.dll	base_address = 0x76610000	2	Fn
LOAD	SHLWAPI.dll	base_address = 0x76210000	2	Fn
LOAD	USER32.dll	base_address = 0x75a80000	2	Fn
LOAD	WININET.dll	base_address = 0x75ec0000	2	Fn
GET_FILENAME	C:\Windows\SysWOW64\runonce.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LoadLibraryA, address = 0x763149d7	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address = 0x76311222	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualProtect, address = 0x7631435f	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address = 0x76311856	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address = 0x7631186e	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = SetSecurityInfo, address = 0x772d9edf	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x779283f7	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = atol, address = 0x77e7d300	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ole32.dll	function = CoUninitialize, address = 0x75da86d3	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shell32.dll	function = SHGetSpecialFolderPathA, address = 0x7685fb26	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = StrStrA, address = 0x7623c45b	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetTimer, address = 0x75a979fb	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address = 0x75eef18e	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetEndOfFile, address = 0x7632ce2e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetEvent, address = 0x763116c5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address = 0x763111f8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SuspendThread, address = 0x76337d7e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = OpenThread, address = 0x76321248	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SystemTimeToFileTime, address = 0x76315a7e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetVersionExA, address = 0x76313519	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoA, address = 0x7632d5e5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address = 0x76311809	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetWindowsDirectoryA, address = 0x76332b0a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WinExec, address = 0x76392c21	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCommandLineA, address = 0x763151a1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x763187c9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LocalFree, address = 0x76312d3c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetWaitableTimer, address = 0x7633bb2f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateWaitableTimerA, address = 0x76394c24	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateThread, address = 0x763134d5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CopyFileA, address = 0x763358e5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FileTimeToSystemTime, address = 0x7631542c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = UnmapViewOfFile, address = 0x76311826	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = MapViewOfFile, address = 0x763118f1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateFileMappingA, address = 0x76315506	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleA, address = 0x76311245	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = RemoveDirectoryA, address = 0x763944bf	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = DeleteFileA, address = 0x76315444	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryA, address = 0x7633d526	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetTempPathA, address = 0x7633276c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x76313509	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetThreadPriority, address = 0x763132bb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address = 0x7631170d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address = 0x7631192e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address = 0x7631110c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentThreadId, address = 0x76311450	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetSystemInfo, address = 0x763149ca	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = QueueUserWorkItem, address = 0x7632ca80	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = Sleep, address = 0x763110ff	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address = 0x7632d802	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = ResumeThread, address = 0x763143ef	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetThreadContext, address = 0x76395393	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetThreadContext, address = 0x763379d4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WriteProcessMemory, address = 0x7632d9e0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualAllocEx, address = 0x7632d9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateProcessA, address = 0x76311072	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualFreeEx, address = 0x7632d9c8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address = 0x76317a10	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FindClose, address = 0x76314442	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FindNextFileA, address = 0x7633d53e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FindFirstFileA, address = 0x7631e2ce	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address = 0x763117d1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameA, address = 0x763114b1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address = 0x77e52270	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address = 0x77e522b0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSection, address = 0x77e62c42	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address = 0x7631469b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WriteFile, address = 0x76311282	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = ReadFile, address = 0x76313ed3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address = 0x76311410	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetFileSize, address = 0x7631196e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateFileA, address = 0x763153c6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x7638a0b5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetPrivateProfileIntA, address = 0x7633cdd7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetPrivateProfileStringA, address = 0x7632184c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WritePrivateProfileStringA, address = 0x76337048	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapCreate, address = 0x76314a2d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapDestroy, address = 0x763135b7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address = 0x77e5e026	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address = 0x77e71f6e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapFree, address = 0x763114c9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateMutexA, address = 0x76314c6b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetLastError, address = 0x763111c0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address = 0x76311136	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = ReleaseMutex, address = 0x7631111e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x772e1f59	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x772e4608	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = CreateProcessAsUserA, address = 0x77312538	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = AdjustTokenPrivileges, address = 0x772e418e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = LookupPrivilegeValueA, address = 0x772e404a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = OpenProcessToken, address = 0x772e4304	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77e4fda0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwSetInformationToken, address = 0x77e51a78	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwDuplicateToken, address = 0x77e4fec8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwClose, address = 0x77e4f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77e4feb0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwOpenProcessToken, address = 0x77e510b0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = qsort, address = 0x77f05191	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = swprintf, address = 0x77f0550d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _wcsnicmp, address = 0x77e5f63b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _wcsicmp, address = 0x77e69337	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strstr, address = 0x77eac780	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = sprintf, address = 0x77f053c3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strncat, address = 0x77eac570	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strchr, address = 0x77e69c70	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strrchr, address = 0x77eac700	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ispunct, address = 0x77f043f3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = isalnum, address = 0x77f04418	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strncpy, address = 0x77ea5c30	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlComputeCrc32, address = 0x77eeffc1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _snprintf, address = 0x77f04760	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77e5e7f3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _stricmp, address = 0x77e6c7b9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _snwprintf, address = 0x77e62417	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = sscanf, address = 0x77f054a7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77e4fb48	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77e4fab0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlImageNtHeader, address = 0x77e63164	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77e5f546	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwContinue, address = 0x77e4fee0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlInsertElementGenericTable, address = 0x77e7939a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDeleteElementGenericTable, address = 0x77e7a168	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlLookupElementGenericTable, address = 0x77e7a104	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlRandom, address = 0x77ef98c3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strpbrk, address = 0x77eac6c0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strncmp, address = 0x77e92f65	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _strnicmp, address = 0x77e8c27c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _strlwr, address = 0x77f04a48	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77e7c4ca	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlInitializeGenericTable, address = 0x77e6ff97	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlEnumerateGenericTable, address = 0x77ef2a56	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = memset, address = 0x77e5df20	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = memcpy, address = 0x77e52340	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = atoi, address = 0x77e7d2f3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _allmul, address = 0x77e72760	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ole32.dll	function = CoInitializeEx, address = 0x75da09ad	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ole32.dll	function = CoCreateInstance, address = 0x75da9d0b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathMatchSpecA, address = 0x7624af13	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathRemoveBackslashA, address = 0x76248d1a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionA, address = 0x7623eced	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = SHGetValueA, address = 0x7621cf09	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = SHEnumKeyExA, address = 0x7624fdb6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = SHSetValueA, address = 0x7624b0ef	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathFindFileNameA, address = 0x762200aa	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = StrStrIW, address = 0x762246e9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsA, address = 0x7624ad1a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathAppendA, address = 0x7621d65e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7623e20b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathAddBackslashA, address = 0x7621cf33	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = StrStrIA, address = 0x7621d250	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = DestroyWindow, address = 0x75a99a55	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetClientRect, address = 0x75aa0c62	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = ChildWindowFromPoint, address = 0x75ad8cf0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = ClientToScreen, address = 0x75aa2606	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = ScreenToClient, address = 0x75aa227d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = PostMessageW, address = 0x75aa12a5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = CreateWindowExW, address = 0x75a98a29	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetMessageW, address = 0x75a978e2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = TranslateMessage, address = 0x75a97809	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = DispatchMessageW, address = 0x75a9787b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = KillTimer, address = 0x75a979db	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetWindowLongW, address = 0x75a98332	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetWindowLongW, address = 0x75a96ffe	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = PostQuitMessage, address = 0x75a99abb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = DefWindowProcW, address = 0x77e625dd	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = FindWindowW, address = 0x75a998fd	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = ExitWindowsEx, address = 0x75ae1497	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = RegisterClassExW, address = 0x75a9b17d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetSystemMetrics, address = 0x75a97d2f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address = 0x75edab49	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetConnectA, address = 0x75ee49e9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = HttpOpenRequestA, address = 0x75ee4c7d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = HttpSendRequestA, address = 0x75f518f8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetQueryOptionW, address = 0x75ed7ed7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetSetOptionW, address = 0x75ed7741	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = HttpQueryInfoW, address = 0x75ee5c75	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address = 0x75edb406	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetCrackUrlA, address = 0x75ecd075	1	Fn

Process #28: ping.exe

(Host: 2466, Network: 33)

Information	Value
ID / OS PID	#28 / 0x50c
OS Parent PID	0x374 (c:\windows\system32\svchost.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\syswow64\ping.exe
Command Line	C:\Windows\SysWOW64\ping.exe 127.0.0.1 -t
Monitor	Start Time: 00:01:35, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:35
OS Thread IDs	# 316 0x 510 # 342 0x 584 # 349 0x 5A0 # 350 0x 5A4 # 352 0x 5AC # 360 0x 5D0 # 496 0x 7F8 # 500 0x 448 # 503 0x 474 # 530 0x 320 # 531 0x 344

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x0007ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000080000	0x00080000	0x0008ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000090000	0x00090000	0x00096fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000a0000	0x000a0000	0x000a1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
ping.exe.mui	0x000b0000	0x000b2fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0010ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000120000	0x00120000	0x0019ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x001a0000	0x00206fff	Memory Mapped File	Readable	Region Actions
wsock32.dll	0x00210000	0x00213fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x00210fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000220000	0x00220000	0x00226fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000220000	0x00220000	0x00220fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000230000	0x00230000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x00270fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000280000	0x00280000	0x0037ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000380000	0x00380000	0x00384fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000380000	0x00380000	0x00380fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00390fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000003a0000	0x003a0000	0x003dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003e0000	0x003e0000	0x003e0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000003f0000	0x003f0000	0x003f0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000400000	0x00400000	0x00400fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000410000	0x00410000	0x0041ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000420000	0x00420000	0x005a7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005b0000	0x005b0000	0x00730fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000740000	0x00740000	0x007fffff	Pagefile Backed Memory	Readable	Region Actions
mswsock.dll	0x00800000	0x00838fff	Memory Mapped File	Readable	Region Actions
ws2_32.dll	0x00800000	0x00832fff	Memory Mapped File	Readable	Region Actions
dnsapi.dll	0x00800000	0x00841fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000800000	0x00800000	0x00800fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000810000	0x00810000	0x00810fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000820000	0x00820000	0x00820fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000830000	0x00830000	0x00831fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000840000	0x00840000	0x00840fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000850000	0x00850000	0x00851fff	Pagefile Backed Memory	Readable	Region Actions
index.dat	0x00860000	0x00867fff	Memory Mapped File	Readable, Writable	Region Actions Download
private_0x0000000000870000	0x00870000	0x008affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008b0000	0x008b0000	0x008ebfff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000008b0000	0x008b0000	0x008e4fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000008b0000	0x008b0000	0x008f3fff	Private Memory	Readable, Writable, Executable	Region Actions
index.dat	0x008b0000	0x008b3fff	Memory Mapped File	Readable, Writable	Region Actions Download
index.dat	0x008c0000	0x008c3fff	Memory Mapped File	Readable, Writable	Region Actions Download
pagefile_0x00000000008d0000	0x008d0000	0x008d0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000008e0000	0x008e0000	0x008e0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000008f0000	0x008f0000	0x0092ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000930000	0x00930000	0x00930fff	Pagefile Backed Memory	Readable	Region Actions
PING.EXE	0x00940000	0x00947fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000970000	0x00970000	0x009affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000990000	0x00990000	0x009cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000009d0000	0x009d0000	0x00a0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a50000	0x00a50000	0x00b4ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00b50000	0x00e1efff	Memory Mapped File	Readable	Region Actions
private_0x0000000000e20000	0x00e20000	0x00e5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e60000	0x00e60000	0x00e9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e80000	0x00e80000	0x00ebffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ee0000	0x00ee0000	0x00f1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f70000	0x00f70000	0x00faffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000fe0000	0x00fe0000	0x0101ffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x01020000	0x010ecfff	Memory Mapped File	Readable	Region Actions
wininet.dll	0x01020000	0x0110ffff	Memory Mapped File	Readable	Region Actions
private_0x0000000001020000	0x01020000	0x0111ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000010f0000	0x010f0000	0x011fffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000001130000	0x01130000	0x0116ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011e0000	0x011e0000	0x0121ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001220000	0x01220000	0x01314fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000001230000	0x01230000	0x0126ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001270000	0x01270000	0x012affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001300000	0x01300000	0x0133ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001350000	0x01350000	0x0138ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013c0000	0x013c0000	0x013cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013f0000	0x013f0000	0x0142ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001460000	0x01460000	0x0149ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001580000	0x01580000	0x0158ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001590000	0x01590000	0x015cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016d0000	0x016d0000	0x0170ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001770000	0x01770000	0x0177ffff	Private Memory	Readable, Writable	Region Actions
wow64cpu.dll	0x74560000	0x74567fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74570000	0x745cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x745d0000	0x7460efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc6.dll	0x752e0000	0x752ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x752f0000	0x75301fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
npmproxy.dll	0x75310000	0x75317fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x75320000	0x7532dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x75330000	0x7536afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x75370000	0x75385fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netprofm.dll	0x75390000	0x753e9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FWPUCLNT.DLL	0x75400000	0x75437fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x75440000	0x75445fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winrnr.dll	0x75450000	0x75457fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pnrpnsp.dll	0x75460000	0x75471fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
NapiNSP.dll	0x75480000	0x7548ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x75490000	0x75495fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x754a0000	0x754affff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasman.dll	0x754b0000	0x754c4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasapi32.dll	0x754d0000	0x75521fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x75530000	0x756cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WSHTCPIP.DLL	0x756d0000	0x756d4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x756e0000	0x75723fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x75730000	0x75736fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x75740000	0x7577bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
SensApi.dll	0x75780000	0x75785fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x75790000	0x757b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x757c0000	0x757c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IPHLPAPI.DLL	0x757d0000	0x757ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rtutils.dll	0x757f0000	0x757fcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75800000	0x7580afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x75810000	0x75841fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x75850000	0x75863fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75980000	0x7598bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75990000	0x759effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75a80000	0x75b7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75b80000	0x75c9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x75ca0000	0x75d3cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75d60000	0x75ebbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75ec0000	0x75fb4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75fc0000	0x7606bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76210000	0x76266fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76300000	0x7640ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x76440000	0x764c2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x764d0000	0x764dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76510000	0x765fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76600000	0x76609fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x76610000	0x77259fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x77260000	0x77265fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x772d0000	0x7736ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77370000	0x77388fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x77390000	0x7741ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77420000	0x7747ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x77480000	0x774c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x774d0000	0x77504fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x77510000	0x7770afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x77710000	0x777dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x777e0000	0x77915fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x77920000	0x77949fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x77950000	0x779defff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x779e0000	0x77a24fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077a30000	0x77a30000	0x77b4efff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000077b50000	0x77b50000	0x77c49fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77e30000	0x77faffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007ef9e000	0x7ef9e000	0x7efa0fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa1000	0x7efa1000	0x7efa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa4000	0x7efa4000	0x7efa6fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa7000	0x7efa7000	0x7efa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Modified Files

Filename	File Size	Hash Values	Actions
c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat	32.00 KB (32768 bytes)	MD5: 8dcf461c8fc7008041374a0ff9b872ca SHA1: 25396fab0ba85edd03df76551c58ea3f14be927a SHA256: 4c665e25a9e45a718048b8aac9f2eaa05706a4ab64c76ca3c73174b8bdeac271	File Actions Show Properties Download
c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\cookies\index.dat	16.00 KB (16384 bytes)	MD5: d7a950fefd60dbaa01df2d85fefb3862 SHA1: 15740b197555ba8e162c37a60ba655151e3bebae SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a	File Actions Show Properties Download
c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\index.dat	16.00 KB (16384 bytes)	MD5: d7a950fefd60dbaa01df2d85fefb3862 SHA1: 15740b197555ba8e162c37a60ba655151e3bebae SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a	File Actions Show Properties Download

Host Behavior

File (129)

Operation	Filename	Additional Information	Count	Logfile
CREATE	c:\windows\syswow64\ntdll.dll	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
CREATE	c:\windows\syswow64\kernel32.dll	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
CREATE	c:\windows\syswow64\mswsock.dll	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
CREATE	c:\windows\syswow64\ws2_32.dll	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
CREATE	c:\windows\syswow64\wsock32.dll	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
CREATE	c:\windows\syswow64\dnsapi.dll	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
CREATE	c:\windows\syswow64\wininet.dll	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
CREATE	\device\000001a9\0d24eb7c\bckfg.tmp	desired_access = GENERIC_READ, create_disposition = OPEN_EXISTING	3	Fn
READ	\device\000001a9\0d24eb7c\bckfg.tmp	size = 538	1	Fn Data
WRITE	STD_OUTPUT_HANDLE	size = 20	1	Fn Data
WRITE	STD_OUTPUT_HANDLE	size = 24	1	Fn Data
WRITE	STD_OUTPUT_HANDLE	size = 22	29	Fn Data
WRITE	STD_OUTPUT_HANDLE	size = 9	87	Fn Data

Thread (5)

Operation	Process Name	Count	Logfile
CREATE_WORKITEM		1	Fn
CREATE_WORKITEM		1	Fn
CREATE_WORKITEM		1	Fn
OPEN	0x5ac	1	Fn
SUSPEND	0x5ac	1	Fn

Module (2243)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32.DLL	base_address = 0x76300000	2	Fn
LOAD	ADVAPI32.dll	base_address = 0x772d0000	2	Fn
LOAD	imagehlp.dll	base_address = 0x77920000	2	Fn
LOAD	ntdll.dll	base_address = 0x77e30000	2	Fn
LOAD	ole32.dll	base_address = 0x75d60000	2	Fn
LOAD	SHELL32.dll	base_address = 0x76610000	2	Fn
LOAD	SHLWAPI.dll	base_address = 0x76210000	2	Fn
LOAD	USER32.dll	base_address = 0x75a80000	2	Fn
LOAD	WININET.dll	base_address = 0x75ec0000	2	Fn
LOAD	mswsock	base_address = 0x75740000	1	Fn
LOAD	wsock32	base_address = 0x75730000	1	Fn
LOAD	dnsapi	base_address = 0x756e0000	1	Fn
LOAD	atl.dll	base_address = 0x75850000	1	Fn
LOAD	oleaut32.dll	base_address = 0x77950000	1	Fn
LOAD	winmm.dll	base_address = 0x75810000	1	Fn
LOAD	urlmon.dll	base_address = 0x777e0000	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LoadLibraryA, address = 0x763149d7	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address = 0x76311222	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualProtect, address = 0x7631435f	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address = 0x76311856	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address = 0x7631186e	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = SetSecurityInfo, address = 0x772d9edf	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x779283f7	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = atol, address = 0x77e7d300	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ole32.dll	function = CoUninitialize, address = 0x75da86d3	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shell32.dll	function = SHGetSpecialFolderPathA, address = 0x7685fb26	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = StrStrA, address = 0x7623c45b	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetTimer, address = 0x75a979fb	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address = 0x75eef18e	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetEndOfFile, address = 0x7632ce2e	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetEvent, address = 0x763116c5	5	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address = 0x763111f8	6	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SuspendThread, address = 0x76337d7e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = OpenThread, address = 0x76321248	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SystemTimeToFileTime, address = 0x76315a7e	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetVersionExA, address = 0x76313519	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoA, address = 0x7632d5e5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address = 0x76311809	6	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetWindowsDirectoryA, address = 0x76332b0a	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WinExec, address = 0x76392c21	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCommandLineA, address = 0x763151a1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x763187c9	6	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LocalFree, address = 0x76312d3c	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetWaitableTimer, address = 0x7633bb2f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateWaitableTimerA, address = 0x76394c24	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateThread, address = 0x763134d5	5	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CopyFileA, address = 0x763358e5	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FileTimeToSystemTime, address = 0x7631542c	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = UnmapViewOfFile, address = 0x76311826	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = MapViewOfFile, address = 0x763118f1	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateFileMappingA, address = 0x76315506	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleA, address = 0x76311245	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = RemoveDirectoryA, address = 0x763944bf	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = DeleteFileA, address = 0x76315444	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryA, address = 0x7633d526	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetTempPathA, address = 0x7633276c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x76313509	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetThreadPriority, address = 0x763132bb	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address = 0x7631170d	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address = 0x7631192e	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address = 0x7631110c	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentThreadId, address = 0x76311450	6	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetSystemInfo, address = 0x763149ca	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = QueueUserWorkItem, address = 0x7632ca80	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = Sleep, address = 0x763110ff	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address = 0x7632d802	6	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = ResumeThread, address = 0x763143ef	4	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetThreadContext, address = 0x76395393	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetThreadContext, address = 0x763379d4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WriteProcessMemory, address = 0x7632d9e0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualAllocEx, address = 0x7632d9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateProcessA, address = 0x76311072	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualFreeEx, address = 0x7632d9c8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address = 0x76317a10	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FindClose, address = 0x76314442	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FindNextFileA, address = 0x7633d53e	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FindFirstFileA, address = 0x7631e2ce	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address = 0x763117d1	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameA, address = 0x763114b1	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address = 0x77e52270	5	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address = 0x77e522b0	5	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSection, address = 0x77e62c42	4	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address = 0x7631469b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WriteFile, address = 0x76311282	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = ReadFile, address = 0x76313ed3	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address = 0x76311410	5	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetFileSize, address = 0x7631196e	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateFileA, address = 0x763153c6	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x7638a0b5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetPrivateProfileIntA, address = 0x7633cdd7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetPrivateProfileStringA, address = 0x7632184c	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WritePrivateProfileStringA, address = 0x76337048	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapCreate, address = 0x76314a2d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapDestroy, address = 0x763135b7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address = 0x77e5e026	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address = 0x77e71f6e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapFree, address = 0x763114c9	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateMutexA, address = 0x76314c6b	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetLastError, address = 0x763111c0	5	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address = 0x76311136	5	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = ReleaseMutex, address = 0x7631111e	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x772e1f59	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x772e4608	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = CreateProcessAsUserA, address = 0x77312538	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = AdjustTokenPrivileges, address = 0x772e418e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = LookupPrivilegeValueA, address = 0x772e404a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = OpenProcessToken, address = 0x772e4304	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77e4fda0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwSetInformationToken, address = 0x77e51a78	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwDuplicateToken, address = 0x77e4fec8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwClose, address = 0x77e4f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77e4feb0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwOpenProcessToken, address = 0x77e510b0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = qsort, address = 0x77f05191	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = swprintf, address = 0x77f0550d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _wcsnicmp, address = 0x77e5f63b	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _wcsicmp, address = 0x77e69337	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strstr, address = 0x77eac780	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = sprintf, address = 0x77f053c3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strncat, address = 0x77eac570	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strchr, address = 0x77e69c70	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strrchr, address = 0x77eac700	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ispunct, address = 0x77f043f3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = isalnum, address = 0x77f04418	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strncpy, address = 0x77ea5c30	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlComputeCrc32, address = 0x77eeffc1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _snprintf, address = 0x77f04760	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77e5e7f3	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _stricmp, address = 0x77e6c7b9	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _snwprintf, address = 0x77e62417	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = sscanf, address = 0x77f054a7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77e4fb48	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77e4fab0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlImageNtHeader, address = 0x77e63164	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77e5f546	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwContinue, address = 0x77e4fee0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlInsertElementGenericTable, address = 0x77e7939a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDeleteElementGenericTable, address = 0x77e7a168	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlLookupElementGenericTable, address = 0x77e7a104	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlRandom, address = 0x77ef98c3	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strpbrk, address = 0x77eac6c0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strncmp, address = 0x77e92f65	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _strnicmp, address = 0x77e8c27c	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _strlwr, address = 0x77f04a48	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77e7c4ca	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlInitializeGenericTable, address = 0x77e6ff97	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlEnumerateGenericTable, address = 0x77ef2a56	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = memset, address = 0x77e5df20	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = memcpy, address = 0x77e52340	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = atoi, address = 0x77e7d2f3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _allmul, address = 0x77e72760	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ole32.dll	function = CoInitializeEx, address = 0x75da09ad	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ole32.dll	function = CoCreateInstance, address = 0x75da9d0b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathMatchSpecA, address = 0x7624af13	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathRemoveBackslashA, address = 0x76248d1a	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionA, address = 0x7623eced	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = SHGetValueA, address = 0x7621cf09	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = SHEnumKeyExA, address = 0x7624fdb6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = SHSetValueA, address = 0x7624b0ef	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathFindFileNameA, address = 0x762200aa	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = StrStrIW, address = 0x762246e9	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsA, address = 0x7624ad1a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathAppendA, address = 0x7621d65e	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7623e20b	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathAddBackslashA, address = 0x7621cf33	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = StrStrIA, address = 0x7621d250	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = DestroyWindow, address = 0x75a99a55	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetClientRect, address = 0x75aa0c62	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = ChildWindowFromPoint, address = 0x75ad8cf0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = ClientToScreen, address = 0x75aa2606	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = ScreenToClient, address = 0x75aa227d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = PostMessageW, address = 0x75aa12a5	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = CreateWindowExW, address = 0x75a98a29	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetMessageW, address = 0x75a978e2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = TranslateMessage, address = 0x75a97809	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = DispatchMessageW, address = 0x75a9787b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = KillTimer, address = 0x75a979db	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetWindowLongW, address = 0x75a98332	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetWindowLongW, address = 0x75a96ffe	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = PostQuitMessage, address = 0x75a99abb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = DefWindowProcW, address = 0x77e625dd	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = FindWindowW, address = 0x75a998fd	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = ExitWindowsEx, address = 0x75ae1497	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = RegisterClassExW, address = 0x75a9b17d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetSystemMetrics, address = 0x75a97d2f	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address = 0x75edab49	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetConnectA, address = 0x75ee49e9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = HttpOpenRequestA, address = 0x75ee4c7d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = HttpSendRequestA, address = 0x75f518f8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetQueryOptionW, address = 0x75ed7ed7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetSetOptionW, address = 0x75ed7741	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = HttpQueryInfoW, address = 0x75ee5c75	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address = 0x75edb406	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetCrackUrlA, address = 0x75ecd075	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = IsWow64Process, address = 0x7631195e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetNativeSystemInfo, address = 0x763210b5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrLockLoaderLock, address = 0x77e66b95	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrUnlockLoaderLock, address = 0x77e66c3c	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlUnwind, address = 0x77e76d39	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCaptureContext, address = 0x77e76b2b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCaptureStackBackTrace, address = 0x77e94f8f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtCreateEvent, address = 0x77e4ff64	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtDuplicateObject, address = 0x77e4fe34	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlConvertSidToUnicodeString, address = 0x77e6aec2	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtNotifyChangeKey, address = 0x77e50f60	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlRunOnceInitialize, address = 0x77e68456	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtResetEvent, address = 0x77e51798	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlValidSecurityDescriptor, address = 0x77e95e16	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlOpenCurrentUser, address = 0x77e8b06f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtQueryInstallUILanguage, address = 0x77e51404	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlpConvertCultureNamesToLCIDs, address = 0x77ee9fa8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlpConvertLCIDsToCultureNames, address = 0x77ee9d5e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = EtwEventEnabled, address = 0x77e688e2	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlSetProcessPreferredUILanguages, address = 0x77eeb52a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlExpandEnvironmentStrings_U, address = 0x77e8c9e7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlUnicodeStringToInteger, address = 0x77e8cb1e	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlLCIDToCultureName, address = 0x77e7feff	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlIdnToUnicode, address = 0x77ef6e59	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlIdnToNameprepUnicode, address = 0x77ef6e35	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlIdnToAscii, address = 0x77ea0bd5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlIsNormalizedString, address = 0x77ef8a72	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlNormalizeString, address = 0x77e95743	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlIntegerToUnicodeString, address = 0x77e68aad	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _ui64tow, address = 0x77e9dda7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _wtol, address = 0x77ea8706	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _wcslwr, address = 0x77f04b6b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlUnhandledExceptionFilter, address = 0x77ef8dd3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtTerminateProcess, address = 0x77e4fca0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = wcsncpy, address = 0x77f05755	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = wcsncmp, address = 0x77e67f75	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlReadThreadProfilingData, address = 0x77ecf099	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlQueryThreadProfiling, address = 0x77ecf07a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDisableThreadProfiling, address = 0x77ecf030	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlEnableThreadProfiling, address = 0x77ecef5f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlSetExtendedFeaturesMask, address = 0x77ef1482	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlGetExtendedFeaturesMask, address = 0x77ef189d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlLocateExtendedFeature, address = 0x77ef1916	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCopyContext, address = 0x77ef15e6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlGetEnabledExtendedFeatures, address = 0x77ef4c27	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlGetExtendedContextLength, address = 0x77ef1816	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlInitializeExtendedContext, address = 0x77ef1728	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlLocateLegacyContext, address = 0x77ef1412	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtRaiseException, address = 0x77e515dc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = EtwEventWriteNoRegistration, address = 0x77ea2220	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlRegisterWait, address = 0x77ea0852	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlSetIoCompletionCallback, address = 0x77ea8a7e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlQueueWorkItem, address = 0x77e980a6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDeregisterWait, address = 0x77f10663	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtOpenEvent, address = 0x77e4fe98	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtResetWriteWatch, address = 0x77e517b4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtGetWriteWatch, address = 0x77e50d00	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtMapUserPhysicalPagesScatter, address = 0x77e4f890	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtMapUserPhysicalPages, address = 0x77e50efc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtFreeUserPhysicalPages, address = 0x77e50bd8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtAllocateUserPhysicalPages, address = 0x77e50344	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtUnlockVirtualMemory, address = 0x77e51ec0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtLockVirtualMemory, address = 0x77e50e94	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlOemStringToUnicodeString, address = 0x77e9b955	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlSetEnvironmentStrings, address = 0x77ef1e9a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlComputeImportTableHash, address = 0x77edc90d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = bsearch, address = 0x77e5ebdc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlEncodeSystemPointer, address = 0x77e6e058	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlFindCharInUnicodeString, address = 0x77e5fb37	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlNtPathNameToDosPathName, address = 0x77e7eb6b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtApphelpCacheControl, address = 0x77e4ffc4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlFindActivationContextSectionGuid, address = 0x77e93ecb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlFindActivationContextSectionString, address = 0x77e5ec78	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDoesFileExists_U, address = 0x77e87ecd	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCreateActivationContext, address = 0x77e88aff	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = DbgPrintEx, address = 0x77ea5af3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlImageNtHeaderEx, address = 0x77e5f495	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlSetThreadPreferredUILanguages, address = 0x77e7d6b7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlQueryActivationContextApplicationSettings, address = 0x77e83a09	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlGetThreadPreferredUILanguages, address = 0x77e7f97c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlQueryInformationActivationContext, address = 0x77e6b988	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlMultiAppendUnicodeStringBuffer, address = 0x77e8a858	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlpEnsureBufferSize, address = 0x77e92aed	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlGetLengthWithoutLastFullDosOrNtPathElement, address = 0x77e88910	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlpApplyLengthFunction, address = 0x77e8889d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlGetActiveActivationContext, address = 0x77e6bd84	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDeactivateActivationContext, address = 0x77e94ae8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlActivateActivationContext, address = 0x77e94c86	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlZombifyActivationContext, address = 0x77edc027	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlReleaseActivationContext, address = 0x77e6bb43	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlAddRefActivationContext, address = 0x77e5f622	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtSetInformationJobObject, address = 0x77e51a30	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtCreateJobSet, address = 0x77e5072c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtQueryInformationJobObject, address = 0x77e51374	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtTerminateJobObject, address = 0x77e51d94	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtAssignProcessToJobObject, address = 0x77e5058c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtOpenJobObject, address = 0x77e50ff0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtCreateJobObject, address = 0x77e50714	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = tolower, address = 0x77f0559f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = isdigit, address = 0x77e7c3d5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = toupper, address = 0x77e78bf5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlGetCurrentDirectory_U, address = 0x77e9103d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCopyLuid, address = 0x77ee2297	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlFreeOemString, address = 0x77ececca	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCreateEnvironment, address = 0x77ef1dfe	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCreateEnvironmentEx, address = 0x77e7d3a3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDestroyEnvironment, address = 0x77e7ed9a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtQueryEvent, address = 0x77e500bc	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = CsrClientCallServer, address = 0x77edcaff	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = CsrAllocateCaptureBuffer, address = 0x77edcb0f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = CsrAllocateMessagePointer, address = 0x77edcb2f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = CsrFreeCaptureBuffer, address = 0x77edcb1f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtDeviceIoControlFile, address = 0x77e4f8fc	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCreateQueryDebugBuffer, address = 0x77ea2745	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlQueryProcessDebugInformation, address = 0x77ea348c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDestroyQueryDebugBuffer, address = 0x77ea3380	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtMapViewOfSection, address = 0x77e4fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtUnmapViewOfSection, address = 0x77e4fc70	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlFreeUserStack, address = 0x77e9e710	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlProcessFlsData, address = 0x77e699a7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlAllocateActivationContextStack, address = 0x77e69f73	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlFreeActivationContextStack, address = 0x77e8d484	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCreateUserStack, address = 0x77ea0f4f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = TpCaptureCaller, address = 0x77e7248d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtSuspendThread, address = 0x77e51d60	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtSetContextThread, address = 0x77e51910	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtGetContextThread, address = 0x77e50c20	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlAllocateAndInitializeSid, address = 0x77e693e2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlFreeSid, address = 0x77e693b2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtSignalAndWaitForSingleObject, address = 0x77e51cd8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlRunOnceComplete, address = 0x77e6bfe5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlRunOnceBeginInitialize, address = 0x77e67e1b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlRunOnceExecuteOnce, address = 0x77e67de3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlSleepConditionVariableSRW, address = 0x77ed8028	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlSleepConditionVariableCS, address = 0x77ed7f2b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtOpenPrivateNamespace, address = 0x77e51098	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtCreatePrivateNamespace, address = 0x77e507ec	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtDeletePrivateNamespace, address = 0x77e50a1c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlInitializeSRWLock, address = 0x77e68456	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlAddIntegrityLabelToBoundaryDescriptor, address = 0x77ee53cf	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlAddSIDToBoundaryDescriptor, address = 0x77e9ae93	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCreateBoundaryDescriptor, address = 0x77e986f1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlAcquireSRWLockShared, address = 0x77e62560	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlReleaseSRWLockShared, address = 0x77e625a9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtProtectVirtualMemory, address = 0x77e50028	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strcpy_s, address = 0x77e959cd	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtReplacePartitionUnit, address = 0x77e51750	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCompareUnicodeString, address = 0x77e684b7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlRaiseStatus, address = 0x77e76ea5	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtQueryInformationToken, address = 0x77e4fb98	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlInitializeSid, address = 0x77e70f5a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlSubAuthoritySid, address = 0x77e70f42	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrLoadDll, address = 0x77e6c43a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrGetProcedureAddress, address = 0x77e601aa	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrUnloadDll, address = 0x77e711d7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlQueryRegistryValues, address = 0x77ea4b60	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtQuerySystemInformationEx, address = 0x77e51590	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDecodeSystemPointer, address = 0x77e6ad98	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlWow64LogMessageInEventLogger, address = 0x77ede4a3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlxAnsiStringToUnicodeSize, address = 0x77ee6262	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtIsSystemResumeAutomatic, address = 0x77e50d98	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtGetDevicePowerState, address = 0x77e50c54	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtSetThreadExecutionState, address = 0x77e51c20	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtInitiatePowerAction, address = 0x77e50d7c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtPowerInformation, address = 0x77e5019c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtSetVolumeInformationFile, address = 0x77e51c8c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlQueryEnvironmentVariable_U, address = 0x77e69953	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlGetFullPathName_U, address = 0x77e8b3e9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlIsNameLegalDOS8Dot3, address = 0x77ef45da	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlGetCurrentProcessorNumberEx, address = 0x77e62a31	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _allshl, address = 0x77e63140	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtOpenThreadToken, address = 0x77e4fbe0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtSetInformationThread, address = 0x77e4f99c	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrLoadAlternateResourceModuleEx, address = 0x77e7399a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrLoadAlternateResourceModule, address = 0x77ea6595	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrpResGetMappingSize, address = 0x77e6c9fc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrRscIsTypeExist, address = 0x77e736dd	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrFindResource_U, address = 0x77e71f2d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _strcmpi, address = 0x77e6c7b9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strncat_s, address = 0x77f08715	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlInitAnsiStringEx, address = 0x77e5f79b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCreateUnicodeString, address = 0x77e8bdee	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlUpcaseUnicodeChar, address = 0x77e5e819	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = wcstoul, address = 0x77f05816	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrGetFileNameFromLoadAsDataTable, address = 0x77edd596	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = wcsrchr, address = 0x77e67ee9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtQueryVirtualMemory, address = 0x77e4fbc8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCultureNameToLCID, address = 0x77e8a503	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrResFindResourceDirectory, address = 0x77e6da15	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrResFindResource, address = 0x77e7e29c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrFindResourceEx_U, address = 0x77e8b5d5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrpResGetResourceDirectory, address = 0x77e6cbb8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrResGetRCConfig, address = 0x77e77c5f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlVerifyVersionInfo, address = 0x77ea92fa	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlGetProductInfo, address = 0x77e7b014	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlLcidToLocaleName, address = 0x77e7f816	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlGetUILanguageInfo, address = 0x77eeb696	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtCreateMailslotFile, address = 0x77e50774	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlExtendedLargeIntegerDivide, address = 0x77e72554	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCleanUpTEBLangLists, address = 0x77e8d5fa	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlSetThreadPoolStartFunc, address = 0x77e81bf7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrSetDllManifestProber, address = 0x77e815f6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlSetUserCallbackExceptionFilter, address = 0x77e822f4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlSetUnhandledExceptionFilter, address = 0x77e80b8a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlEncodePointer, address = 0x77e70fcb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlGetNativeSystemInformation, address = 0x77e520ac	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlAcquireSRWLockExclusive, address = 0x77e629f1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlReleaseSRWLockExclusive, address = 0x77e629ab	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrQueryImageFileExecutionOptions, address = 0x77e7c132	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _aulldiv, address = 0x77e8b140	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlSetUserValueHeap, address = 0x77e8cff2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlReAllocateHeap, address = 0x77e71f6e	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlAllocateHandle, address = 0x77e68200	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlFreeHandle, address = 0x77e68242	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDeregisterSecureMemoryCacheCallback, address = 0x77ef2ddb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlRegisterSecureMemoryCacheCallback, address = 0x77ef2d5d	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCompactHeap, address = 0x77e7cb4d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlSizeHeap, address = 0x77e63002	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlGetUserInfoHeap, address = 0x77e97c71	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlLockHeap, address = 0x77e6814c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlIsValidHandle, address = 0x77e681cb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlUnlockHeap, address = 0x77e680ee	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtQuerySystemInformation, address = 0x77e4fda0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlInitString, address = 0x77e5e198	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtSetSystemEnvironmentValueEx, address = 0x77e51bbc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlGUIDFromString, address = 0x77e7b755	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtQuerySystemEnvironmentValueEx, address = 0x77e51578	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = swprintf_s, address = 0x77e9290f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _alldiv, address = 0x77ea8d00	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtFlushBuffersFile, address = 0x77e4ffac	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlGetLastNtStatus, address = 0x77ef4c46	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDosPathNameToNtPathName_U_WithStatus, address = 0x77e71660	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlEqualSid, address = 0x77e694b1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlQueryInformationAcl, address = 0x77e96965	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlGetAce, address = 0x77e8cde6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtRaiseHardError, address = 0x77e515f4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtQueryVolumeInformationFile, address = 0x77e4ff7c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrAddRefDll, address = 0x77e6ffdd	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtCreateKeyTransacted, address = 0x77e50744	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDetermineDosPathNameType_U, address = 0x77e6a639	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _vsnwprintf, address = 0x77e7ef93	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlUnicodeStringToOemString, address = 0x77e9ba27	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlWow64EnableFsRedirection, address = 0x77ed7bf3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtCancelIoFile, address = 0x77e5016c	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtCancelSynchronousIoFile, address = 0x77e505c0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtNotifyChangeDirectoryFile, address = 0x77e50f48	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlActivateActivationContextUnsafeFast, address = 0x77e521f1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDeactivateActivationContextUnsafeFast, address = 0x77e52159	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtQueryDirectoryFile, address = 0x77e4fd88	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtWaitForSingleObject, address = 0x77e4f8ac	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlGetThreadErrorMode, address = 0x77ea2108	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlSetThreadErrorMode, address = 0x77e7a7be	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlSetLastWin32ErrorAndNtStatusFromNtStatus, address = 0x77e8c74e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtOpenProcessToken, address = 0x77e510b0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlNtStatusToDosErrorNoTeb, address = 0x77e6622c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = EtwEventRegister, address = 0x77e6f6ba	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = EtwEventWrite, address = 0x77e90c59	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = EtwEventUnregister, address = 0x77e89241	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtCreateSection, address = 0x77e4ff94	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtQuerySection, address = 0x77e50040	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlGetVersion, address = 0x77e6873a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlQueryElevationFlags, address = 0x77e7bc78	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtSetInformationProcess, address = 0x77e4fb18	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCharToInteger, address = 0x77eaa1d8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strncpy_s, address = 0x77ea9eaa	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlGetLongestNtPathLength, address = 0x77e8cdce	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlEqualString, address = 0x77e91dcc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlFreeAnsiString, address = 0x77e5e126	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCopyUnicodeString, address = 0x77e685cb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDosPathNameToNtPathName_U, address = 0x77e8ce41	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtLockFile, address = 0x77e50e44	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtReadFile, address = 0x77e4f8e0	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlIsTextUnicode, address = 0x77e7a26d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtDeleteValueKey, address = 0x77e50a34	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtEnumerateKey, address = 0x77e4fd3c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlFormatCurrentUserKeyPath, address = 0x77e6b141	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlAppendUnicodeToString, address = 0x77e68626	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlAppendUnicodeStringToString, address = 0x77e6855f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlPrefixUnicodeString, address = 0x77e72799	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = CsrVerifyRegion, address = 0x77edcc64	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtAllocateVirtualMemory, address = 0x77e4fab0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtWriteFile, address = 0x77e4f918	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtFreeVirtualMemory, address = 0x77e4fb48	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtUnlockFile, address = 0x77e51ea8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtEnumerateValueKey, address = 0x77e4fa30	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlMultiByteToUnicodeSize, address = 0x77eaa0da	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlUnicodeToMultiByteN, address = 0x77e6692e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlMultiByteToUnicodeN, address = 0x77e5e545	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlQueryAtomInAtomTable, address = 0x77e9781c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtQueryInformationAtom, address = 0x77e51344	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDeleteAtomFromAtomTable, address = 0x77e95255	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtDeleteAtom, address = 0x77e50988	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlLookupAtomInAtomTable, address = 0x77e73059	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtFindAtom, address = 0x77e4fa48	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlAddAtomToAtomTable, address = 0x77e950a2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtAddAtom, address = 0x77e4ff48	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCreateAtomTable, address = 0x77e887fe	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDestroyAtomTable, address = 0x77ee51ca	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDosPathNameToRelativeNtPathName_U, address = 0x77e7163a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlReleaseRelativeName, address = 0x77e6a901	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlIsDosDeviceName_U, address = 0x77e6a942	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = DbgUiStopDebugging, address = 0x77ecf7c8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = DbgUiContinue, address = 0x77ecf7a3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = DbgUiWaitStateChange, address = 0x77ecf77c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = DbgUiConvertStateChangeStructure, address = 0x77ecf8cc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtFlushInstructionCache, address = 0x77e50b54	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtQueryInformationThread, address = 0x77e4fbf8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = DbgUiGetThreadDebugObject, address = 0x77ecf74d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtSetInformationDebugObject, address = 0x77e51a00	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = DbgUiIssueRemoteBreakin, address = 0x77ecf843	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = DbgUiConnectToDbg, address = 0x77ecf6fb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = DbgUiDebugActiveProcess, address = 0x77ecf88a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = CsrGetProcessId, address = 0x77edcb92	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtOpenProcess, address = 0x77e4fc10	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtSetSystemTime, address = 0x77e51c04	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlReleasePrivilege, address = 0x77e79c1c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlAcquirePrivilege, address = 0x77e79a6d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCutoverTimeToSystemTime, address = 0x77ea48b0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtSetSystemInformation, address = 0x77e51bd4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlTimeFieldsToTime, address = 0x77e908ca	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlTimeToTimeFields, address = 0x77e90535	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtQueryInformationProcess, address = 0x77e4fac8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlGetCurrentTransaction, address = 0x77e67ff5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlSetCurrentTransaction, address = 0x77e68026	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = wcsncpy_s, address = 0x77e9e4de	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = wcscat_s, address = 0x77e789aa	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlPrefixString, address = 0x77e9e0b4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = wcsstr, address = 0x77e60c87	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = wcschr, address = 0x77e67f1c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCreateUnicodeStringFromAsciiz, address = 0x77e683fc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlInitAnsiString, address = 0x77e5e1d0	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlAnsiStringToUnicodeString, address = 0x77e5e6b5	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlInitUnicodeStringEx, address = 0x77e67d73	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NlsMbCodePageTag, address = 0x77f30003	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlxUnicodeStringToAnsiSize, address = 0x77ee623d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlUnicodeStringToAnsiString, address = 0x77e66ac8	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlEnterCriticalSection, address = 0x77e522b0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlLeaveCriticalSection, address = 0x77e52270	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlNtStatusToDosError, address = 0x77e661ed	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDnsHostNameToComputerName, address = 0x77ee66fb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlFreeUnicodeString, address = 0x77e5e126	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlUnicodeToMultiByteSize, address = 0x77e8c9bc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = wcscspn, address = 0x77ea9eea	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = wcscpy_s, address = 0x77e686a6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = memmove, address = 0x77e68f50	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _memicmp, address = 0x77f04750	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtCreateKey, address = 0x77e4fb30	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtSetValueKey, address = 0x77e501b4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtFlushKey, address = 0x77e50b70	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlInitUnicodeString, address = 0x77e5e208	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtOpenKey, address = 0x77e4fa18	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtQueryValueKey, address = 0x77e4fa98	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtClose, address = 0x77e4f9d0	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDeleteCriticalSection, address = 0x77e645f5	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlInitializeCriticalSection, address = 0x77e62c42	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtSetInformationFile, address = 0x77e4fc28	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtSetSecurityObject, address = 0x77e51b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtSetEaFile, address = 0x77e519b0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtQuerySecurityObject, address = 0x77e51518	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlLengthSecurityDescriptor, address = 0x77e95d84	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtQueryEaFile, address = 0x77e51314	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtQueryInformationFile, address = 0x77e4fa00	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtOpenFile, address = 0x77e4fd54	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtCreateFile, address = 0x77e500a4	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtFsControlFile, address = 0x77e4fde8	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlSetLastWin32Error, address = 0x77e522ef	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlAllocateHeap, address = 0x77e5e026	4	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCreateAcl, address = 0x77e72d21	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlAddAccessAllowedAce, address = 0x77e72e50	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCreateSecurityDescriptor, address = 0x77e72c94	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlSetOwnerSecurityDescriptor, address = 0x77e72e73	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlSetGroupSecurityDescriptor, address = 0x77e72ec1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlSetDaclSecurityDescriptor, address = 0x77e72cc2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlFreeHeap, address = 0x77e5df85	4	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlInitializeExceptionChain, address = 0x77e69e6f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = TpAllocPool, address = 0x77e8304e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = TpSetPoolMinThreads, address = 0x77e9cf79	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = TpSetPoolStackInformation, address = 0x77e85f6c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = TpQueryPoolStackInformation, address = 0x77f0f216	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = TpAllocCleanupGroup, address = 0x77e9853e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = TpSimpleTryPost, address = 0x77e9656e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = TpAllocWork, address = 0x77e9c5b6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = TpAllocTimer, address = 0x77e89f47	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = TpAllocWait, address = 0x77e9c7f8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = TpAllocIoCompletion, address = 0x77e780cc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = TpCallbackMayRunLong, address = 0x77e9e162	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlQueryEnvironmentVariable, address = 0x77e696ef	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtWriteVirtualMemory, address = 0x77e4fe04	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtOpenDirectoryObject, address = 0x77e500ec	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtQuerySymbolicLinkObject, address = 0x77e51548	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtOpenSymbolicLinkObject, address = 0x77e51110	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = wcspbrk, address = 0x77e8b617	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtWow64WriteVirtualMemory64, address = 0x77e5210c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDestroyProcessParameters, address = 0x77e7bc52	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCreateProcessParametersEx, address = 0x77e7bd9b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtResumeThread, address = 0x77e50058	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = DbgPrint, address = 0x77eaa7a0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtRemoveProcessDebug, address = 0x77e516ec	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrQueryImageFileKeyOption, address = 0x77e92fd2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtCreateUserProcess, address = 0x77e5090c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlGetFullPathName_UstrEx, address = 0x77e6aaf4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDecodePointer, address = 0x77e69d35	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlKnownExceptionFilter, address = 0x77ea2120	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlRaiseException, address = 0x77e76e68	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtRequestWaitReplyPort, address = 0x77e4fbb0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtOpenKeyTransacted, address = 0x77e51020	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtQueryKey, address = 0x77e4fa80	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtOpenKeyEx, address = 0x77e51008	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtOpenKeyTransactedEx, address = 0x77e51038	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlValidRelativeSecurityDescriptor, address = 0x77ea5793	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtDeleteKey, address = 0x77e509ec	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtLoadKey, address = 0x77e50dfc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtUnloadKey, address = 0x77e51e60	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtNotifyChangeMultipleKeys, address = 0x77e50f78	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtRestoreKey, address = 0x77e517d0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtSaveKeyEx, address = 0x77e5187c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlLengthSid, address = 0x77e6931b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlMakeSelfRelativeSD, address = 0x77e954f3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtDuplicateToken, address = 0x77e4fec8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlTryAcquirePebLock, address = 0x77e94654	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _vsnprintf, address = 0x77ea9d88	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtWaitForMultipleObjects, address = 0x77e50138	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlReleasePebLock, address = 0x77e67f5e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtClearEvent, address = 0x77e4fe64	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlWerpReportException, address = 0x77ea3ac6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = LdrResSearchResource, address = 0x77e6cd5c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtWow64ReadVirtualMemory64, address = 0x77e520f4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtWow64QueryInformationProcess64, address = 0x77e520dc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlCompareMemory, address = 0x77e93b00	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = WerReportSQMEvent, address = 0x77ed94a1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtAccessCheck, address = 0x77e50218	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = VerSetConditionMask, address = 0x77ea92b9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = WinSqmIsOptedIn, address = 0x77e89b58	4	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strcat_s, address = 0x77e9596f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlExitUserThread, address = 0x77e8d598	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlExitUserProcess, address = 0x77e88de8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _aullrem, address = 0x77e70a90	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = BaseReleaseProcessDllPath, address = 0x7748b5b5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = BaseGetProcessExePath, address = 0x7748b54c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = BaseGetProcessDllPath, address = 0x7748b515	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = LoadStringByReference, address = 0x774b25de	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = InternalLcidToName, address = 0x7749e702	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = NlsIsUserDefaultLocale, address = 0x774a3009	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetUserInfo, address = 0x774a3c80	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetPtrCalDataArray, address = 0x774a29a6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetPtrCalData, address = 0x774a296d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetStringTableEntry, address = 0x774a2e9a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CheckGroupPolicyEnabled, address = 0x774a0025	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = OpenRegKey, address = 0x774b2df3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetCPHashNode, address = 0x7749fd6c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = Internal_EnumSystemCodePages, address = 0x774a906c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = Internal_EnumUILanguages, address = 0x774a8336	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = Internal_EnumLanguageGroupLocales, address = 0x774a8066	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = Internal_EnumSystemLanguageGroups, address = 0x774a7d8d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = Internal_EnumDateFormats, address = 0x774aa1de	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = Internal_EnumTimeFormats, address = 0x774aa163	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = KernelBaseGetGlobalData, address = 0x77486c21	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = InvalidateTzSpecificCache, address = 0x77488ed1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = IsDBCSLeadByte, address = 0x774ada61	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreateFileMappingNumaW, address = 0x7748da5f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CompareStringA, address = 0x774a061d	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = LoadStringBaseExW, address = 0x77493ad9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = BaseInvalidateDllSearchPathCache, address = 0x7748a940	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = BaseInvalidateProcessSearchPathCache, address = 0x7748a955	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = BaseDllFreeResourceId, address = 0x77491282	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = BaseDllMapResourceIdW, address = 0x77492069	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetUserDefaultUILanguage, address = 0x774b187f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = EnumUILanguagesW, address = 0x774aa036	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = AreFileApisANSI, address = 0x7748b6b6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = EnumCalendarInfoExW, address = 0x774aa0f2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = EnumCalendarInfoW, address = 0x774aa0c2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = EnumDateFormatsExW, address = 0x774aa2fd	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = EnumDateFormatsW, address = 0x774aa2d0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = EnumLanguageGroupLocalesW, address = 0x774aa015	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = EnumSystemCodePagesW, address = 0x774aa0a7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = EnumSystemLanguageGroupsW, address = 0x774a9ff7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = EnumSystemLocalesEx, address = 0x774aa074	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = EnumSystemLocalesW, address = 0x774aa054	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = EnumTimeFormatsW, address = 0x774aa27a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetLocaleInfoA, address = 0x774a07e2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetStringTypeA, address = 0x774a055a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetSystemDefaultUILanguage, address = 0x774b184a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = IsDBCSLeadByteEx, address = 0x774aefb1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = MapViewOfFileExNuma, address = 0x7748dd34	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetFileApisToANSI, address = 0x7748b642	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetFileApisToOEM, address = 0x7748b67c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = VirtualAllocExNuma, address = 0x7748e109	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = EnumCalendarInfoExEx, address = 0x774aa122	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = EnumDateFormatsExEx, address = 0x774aa32a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = EnumTimeFormatsEx, address = 0x774aa2a5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetCurrencyFormatEx, address = 0x774b1180	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetEraNameCountedString, address = 0x774a29e2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetNumberFormatEx, address = 0x774b0d34	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetSystemDefaultLocaleName, address = 0x774a3463	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetUserDefaultLocaleName, address = 0x774a34d0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = LCIDToLocaleName, address = 0x774a38c5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetNamedLocaleHashNode, address = 0x7749fad0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetLocaleInfoHelper, address = 0x774a3d73	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetUserInfoWord, address = 0x774a2f73	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetCalendar, address = 0x7749f354	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SpecialMBToWC, address = 0x774ae7a6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = Internal_EnumCalendarInfo, address = 0x774a928b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = NlsValidateLocale, address = 0x774a2e6c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = BaseReleaseProcessExePath, address = 0x7748b5e4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = TlsGetValue, address = 0x77492c95	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetThreadPriority, address = 0x7749339f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetProcessShutdownParameters, address = 0x7748eae7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetPriorityClass, address = 0x7748e886	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = ResumeThread, address = 0x77492bbe	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = QueueUserAPC, address = 0x77492d6f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = ProcessIdToSessionId, address = 0x774936d6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = OpenThread, address = 0x7749287e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetThreadPriorityBoost, address = 0x774929d4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetThreadPriority, address = 0x77492950	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetStartupInfoW, address = 0x7748edf4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetProcessTimes, address = 0x7748ea7a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetPriorityClass, address = 0x7748ea14	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetExitCodeThread, address = 0x77492ad2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetCurrentThreadId, address = 0x77492b18	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetCurrentThread, address = 0x77492b0f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetProcessId, address = 0x7748e67d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetProcessIdOfThread, address = 0x77492b5c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetThreadId, address = 0x77492b27	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetCurrentProcessId, address = 0x7748ee93	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreateRemoteThreadEx, address = 0x77492ef3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetExitCodeProcess, address = 0x7748e5c7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = TlsFree, address = 0x77492ce5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = TlsAlloc, address = 0x77493529	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = TerminateThread, address = 0x77492a0e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = TerminateProcess, address = 0x7748e581	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SwitchToThread, address = 0x77492edb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SuspendThread, address = 0x77492b91	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetThreadStackGuarantee, address = 0x7748ad25	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetThreadPriorityBoost, address = 0x77492999	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = OpenProcessToken, address = 0x7749b9f7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = TlsSetValue, address = 0x774935f5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetProcessAffinityUpdateMode, address = 0x7748e42e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = QueryProcessAffinityUpdateMode, address = 0x7748e47c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetProcessVersion, address = 0x7748eea2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreateRemoteThread, address = 0x774936ac	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = InitializeProcThreadAttributeList, address = 0x7748eb9f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = UpdateProcThreadAttribute, address = 0x7748ec13	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = DeleteProcThreadAttributeList, address = 0x7748ec0b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetCurrentProcess, address = 0x7748e674	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = HeapCreate, address = 0x77494516	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = HeapSetInformation, address = 0x77494819	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = HeapQueryInformation, address = 0x7749484a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = HeapLock, address = 0x774946ce	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = HeapDestroy, address = 0x77494580	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetProcessHeap, address = 0x7749469a	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetProcessHeaps, address = 0x774946ac	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = HeapWalk, address = 0x77494702	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = HeapValidate, address = 0x7749467a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = HeapUnlock, address = 0x774946e8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = HeapCompact, address = 0x774946bd	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = HeapSummary, address = 0x774945f9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = MapViewOfFileEx, address = 0x7748df2d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = ReadProcessMemory, address = 0x7748dfc8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = UnmapViewOfFile, address = 0x7748de3e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = VirtualAlloc, address = 0x7748e365	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = VirtualAllocEx, address = 0x7748e2c8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = VirtualFree, address = 0x7748e2aa	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = VirtualFreeEx, address = 0x7748e174	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = VirtualProtect, address = 0x7748e326	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = WriteProcessMemory, address = 0x7748e009	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = VirtualQueryEx, address = 0x7748e273	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = VirtualQuery, address = 0x7748e347	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = VirtualProtectEx, address = 0x7748e1ff	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FlushViewOfFile, address = 0x7748ddf5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreateFileMappingW, address = 0x7748db8e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = OpenFileMappingW, address = 0x7748dc9c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = MapViewOfFile, address = 0x7748de94	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = DuplicateHandle, address = 0x7748b778	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetHandleInformation, address = 0x7748b7fb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetHandleInformation, address = 0x7748b884	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CloseHandle, address = 0x7748b730	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = OpenProcess, address = 0x7748e505	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = OpenSemaphoreW, address = 0x774905dc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = OpenWaitableTimerW, address = 0x774909d5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = ReleaseMutex, address = 0x7749030b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = ReleaseSemaphore, address = 0x77490247	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = OpenMutexW, address = 0x774906ea	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetEvent, address = 0x7749013d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetWaitableTimer, address = 0x77490a69	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SleepEx, address = 0x77492beb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = WaitForMultipleObjectsEx, address = 0x77490862	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = WaitForSingleObjectEx, address = 0x7749077e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = OpenEventW, address = 0x77490548	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = OpenEventA, address = 0x77490ae4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = InitializeCriticalSectionEx, address = 0x7749006c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = InitializeCriticalSectionAndSpinCount, address = 0x7749004f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreateWaitableTimerExW, address = 0x77490335	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreateSemaphoreExW, address = 0x774901b9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreateEventA, address = 0x77490ab4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreateEventW, address = 0x77490518	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CancelWaitableTimer, address = 0x7749049b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreateEventExA, address = 0x774904c5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreateEventExW, address = 0x7749009e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreateMutexA, address = 0x77490b34	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreateMutexExA, address = 0x77490670	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreateMutexExW, address = 0x77490275	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = ResetEvent, address = 0x77490167	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreateMutexW, address = 0x774906c3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetFullPathNameW, address = 0x77499e8e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetFullPathNameA, address = 0x77499fbf	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetFileTime, address = 0x7748bf09	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = QueryDosDeviceW, address = 0x7748f269	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreateFileW, address = 0x7749b2d6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = LockFile, address = 0x7748bf97	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetFileSize, address = 0x7748d35b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetEndOfFile, address = 0x7748bab2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = WriteFile, address = 0x7748d11f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetFilePointer, address = 0x7748bb4f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = ReadFile, address = 0x7748cfad	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = WriteFileEx, address = 0x7748c30a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = WriteFileGather, address = 0x7748c5cf	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetFinalPathNameByHandleA, address = 0x7748d93f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetFinalPathNameByHandleW, address = 0x7748d44e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = RemoveDirectoryW, address = 0x7749841a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetDiskFreeSpaceW, address = 0x7749526c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreateDirectoryW, address = 0x774982b7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = DefineDosDeviceW, address = 0x7748ef22	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FindFirstFileExA, address = 0x77499d44	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FindFirstFileExW, address = 0x77499554	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FindClose, address = 0x7749947a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetFileType, address = 0x7748cece	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FlushFileBuffers, address = 0x7748d280	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetFileAttributesW, address = 0x7749897c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetFileAttributesExW, address = 0x77498bc5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = DeleteFileW, address = 0x77498cd5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetFileTime, address = 0x7748be88	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = DeleteFileA, address = 0x77499022	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetFileAttributesA, address = 0x77498fa7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FindNextFileW, address = 0x77499280	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FindFirstFileW, address = 0x77499c32	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetLogicalDriveStringsW, address = 0x774955fa	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetTempFileNameW, address = 0x77494fad	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetVolumeInformationW, address = 0x77495fbb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CompareFileTime, address = 0x7748870b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreateDirectoryA, address = 0x77498909	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FileTimeToLocalFileTime, address = 0x77488d21	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FileTimeToSystemTime, address = 0x77488607	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FindCloseChangeNotification, address = 0x774991f0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FindFirstFileA, address = 0x77499af0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FindFirstChangeNotificationA, address = 0x77499aad	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FindFirstChangeNotificationW, address = 0x774990b4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FindNextChangeNotification, address = 0x774991b1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FindNextFileA, address = 0x77499c51	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetDiskFreeSpaceA, address = 0x77495c85	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetDiskFreeSpaceExA, address = 0x77495cd6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetDiskFreeSpaceExW, address = 0x77495428	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = UnlockFileEx, address = 0x7748c0d9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetDriveTypeA, address = 0x77495f6f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetDriveTypeW, address = 0x77495870	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetFileAttributesExA, address = 0x77498fe4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetFileAttributesW, address = 0x77498b0e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetFileInformationByHandle, address = 0x7748bd62	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetFileSizeEx, address = 0x7748c14e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetVolumeInformationByHandleW, address = 0x77495d24	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = LocalFileTimeToFileTime, address = 0x77488d6e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = LockFileEx, address = 0x7748c026	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = ReadFileScatter, address = 0x7748c52a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = ReadFileEx, address = 0x7748c26a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = RemoveDirectoryA, address = 0x77498944	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetFileAttributesA, address = 0x77498f6c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetFileInformationByHandle, address = 0x7749b229	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetFilePointerEx, address = 0x7748bc71	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetFileValidData, address = 0x7748c671	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = UnlockFile, address = 0x7748d2ef	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = PostQueuedCompletionStatus, address = 0x774875ad	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetQueuedCompletionStatusEx, address = 0x77487723	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetQueuedCompletionStatus, address = 0x77487693	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreateIoCompletionPort, address = 0x7748751a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CancelIoEx, address = 0x7748c4f1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetOverlappedResult, address = 0x774875e2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = DeviceIoControl, address = 0x7748c3aa	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = ChangeTimerQueueTimer, address = 0x7748a6c1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreateTimerQueue, address = 0x7748a63e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = UnregisterWaitEx, address = 0x7748a563	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = DeleteTimerQueueTimer, address = 0x7748a70a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = DeleteTimerQueueEx, address = 0x7748a75d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreateTimerQueueTimer, address = 0x7748a666	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetModuleHandleA, address = 0x77491ef5	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetModuleHandleW, address = 0x77491094	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetModuleHandleExA, address = 0x774910cd	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetModuleHandleExW, address = 0x77491142	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = LoadResource, address = 0x774912b6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = LockResource, address = 0x7748c71d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SizeofResource, address = 0x7749133b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetProcAddress, address = 0x77491180	4	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetModuleFileNameA, address = 0x77491e24	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FreeLibraryAndExitThread, address = 0x77490b76	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FindStringOrdinal, address = 0x774a12a1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = DisableThreadLibraryCalls, address = 0x77490bdb	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = LoadLibraryExA, address = 0x77491d54	4	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetModuleFileNameW, address = 0x77490c05	4	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FindResourceExW, address = 0x774921c1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FreeLibrary, address = 0x77491d92	4	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = LoadLibraryExW, address = 0x77491bb2	4	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FreeResource, address = 0x774913c0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = PeekNamedPipe, address = 0x774883c8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = DisconnectNamedPipe, address = 0x77487a50	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreatePipe, address = 0x77487838	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = ConnectNamedPipe, address = 0x774879b8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetNamedPipeAttribute, address = 0x77487d16	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetNamedPipeClientComputerNameW, address = 0x77487de9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = WaitNamedPipeW, address = 0x774880b4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetNamedPipeHandleState, address = 0x77487af3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = CreateNamedPipeW, address = 0x77487e34	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = TransactNamedPipe, address = 0x77487bcc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = IsWow64Process, address = 0x7748e4c0	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = LCMapStringA, address = 0x774a09be	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = LocalLock, address = 0x7749433d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = LocalReAlloc, address = 0x77494a9b	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = LocalUnlock, address = 0x77494439	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GlobalAlloc, address = 0x77493fa7	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FormatMessageW, address = 0x77493e37	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FormatMessageA, address = 0x77493c49	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = NeedCurrentDirectoryForExePathA, address = 0x7748eb4f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = EnumSystemLocalesA, address = 0x774a099f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = PulseEvent, address = 0x7749018f	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = Sleep, address = 0x77493511	4	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = Wow64DisableWow64FsRedirection, address = 0x7748c6c7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = Wow64RevertWow64FsRedirection, address = 0x7748c6f1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = lstrcmpW, address = 0x7748a389	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = lstrcmpiW, address = 0x7748a415	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = lstrcpynA, address = 0x7748a2b0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = lstrcpynW, address = 0x7748a47c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = lstrlenA, address = 0x7748a330	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FatalAppExitA, address = 0x7748ed99	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = NeedCurrentDirectoryForExePathW, address = 0x7748eb77	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FatalAppExitW, address = 0x7748e604	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = LocalAlloc, address = 0x774948f9	4	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GlobalFree, address = 0x77493e61	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = lstrlenW, address = 0x7748a505	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = LocalFree, address = 0x77493e61	4	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = IsProcessInJob, address = 0x7749b7c0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetLocalTime, address = 0x77488b39	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetSystemTimeAdjustment, address = 0x77488957	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetSystemTimeAsFileTime, address = 0x77488c67	4	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetTickCount64, address = 0x77488ccf	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetTimeZoneInformation, address = 0x77489730	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetTimeZoneInformationForYear, address = 0x77489c18	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetVersion, address = 0x774911fc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetVersionExA, address = 0x77491f41	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetVersionExW, address = 0x77491232	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetWindowsDirectoryW, address = 0x77495c59	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetLocalTime, address = 0x774891f3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SystemTimeToTzSpecificLocalTime, address = 0x77489c36	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = TzSpecificLocalTimeToSystemTime, address = 0x77489f2c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetDynamicTimeZoneInformation, address = 0x774897de	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetLogicalProcessorInformation, address = 0x7748e386	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetSystemInfo, address = 0x7748e6b2	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetLogicalProcessorInformationEx, address = 0x7748e3e0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetWindowsDirectoryA, address = 0x77495c2d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GlobalMemoryStatusEx, address = 0x77494160	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetTickCount, address = 0x77488c96	4	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetSystemTime, address = 0x77488be7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SystemTimeToFileTime, address = 0x7748868f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetComputerNameExW, address = 0x77497d17	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetComputerNameExA, address = 0x77498197	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = VerLanguageNameA, address = 0x774a361a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FindNLSStringEx, address = 0x774b59a5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetThreadLocale, address = 0x774a341f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = NlsWriteEtwEvent, address = 0x774b2bea	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = NlsEventDataDescCreate, address = 0x774b2a9d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = ConvertDefaultLocale, address = 0x774a33fb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = VerLanguageNameW, address = 0x774a353b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetLocaleInfoW, address = 0x774a68f1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = SetCalendarInfoW, address = 0x774a36ff	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = LCMapStringW, address = 0x774a1e6a	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = IsValidLocale, address = 0x774a3168	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = IsValidLanguageGroup, address = 0x774a25e2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = IsValidCodePage, address = 0x774aecc1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = IsNLSDefinedString, address = 0x774b5a04	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetUserDefaultLCID, address = 0x774a270c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetUserDefaultLangID, address = 0x774a3459	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetThreadLocale, address = 0x774a26bf	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetSystemDefaultLCID, address = 0x774a26ef	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetSystemDefaultLangID, address = 0x774a26d1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetProcessPreferredUILanguages, address = 0x774b1811	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetOEMCP, address = 0x774ada56	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetLocaleInfoW, address = 0x774a7304	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetCPInfoExW, address = 0x774aee5f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetCPInfo, address = 0x774aedba	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetACP, address = 0x774ada4b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetFileMUIPath, address = 0x774b172c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = FindNLSString, address = 0x774a1f19	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = NlsUpdateSystemLocale, address = 0x774a7669	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = NlsUpdateLocale, address = 0x774a771c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = NlsGetCacheUpdateCount, address = 0x7749ffc6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = NlsCheckPolicy, address = 0x774a24a2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetCalendarInfoW, address = 0x774a7264	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetCalendarInfoEx, address = 0x774a72b4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetLocaleInfoEx, address = 0x774a734d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetSystemPreferredUILanguages, address = 0x774b18b4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetThreadPreferredUILanguages, address = 0x774b17d8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetThreadUILanguage, address = 0x774b1946	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetUILanguageInfo, address = 0x774b1770	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetUserPreferredUILanguages, address = 0x774b18fd	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = IsValidLocaleName, address = 0x774a2d72	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = LCMapStringEx, address = 0x774ad8a6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = LocaleNameToLCID, address = 0x774a393a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = ResolveLocaleName, address = 0x774a3b6c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetFileMUIInfo, address = 0x774b126b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernelbase.dll	function = GetEnvironmentStrings, address = 0x7748fb3b	1	Fn
For performance reasons, the remaining 652 entries are omitted. Click to download all 1652 entries as text file (0.64 MB).

Registry (25)

Operation	Key	Additional Information	Count	Logfile
OPEN_KEY	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters		1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters	value_name = DefaultTTL, data_ident_out = 0	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\software\classes\http\shell\open\command	data_ident_out = "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome	1	Fn
READ_VALUE	HKEY_USERS\.DEFAULT\software\microsoft\internet explorer\international	value_name = acceptlanguage	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-19\software\microsoft\internet explorer\international	value_name = acceptlanguage	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-20\software\microsoft\internet explorer\international	value_name = acceptlanguage	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\software\microsoft\internet explorer\international	value_name = acceptlanguage	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000_Classes\software\microsoft\internet explorer\international	value_name = acceptlanguage	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-18\software\microsoft\internet explorer\international	value_name = acceptlanguage	1	Fn
WRITE_VALUE	HKEY_CURRENT_USER\software\microsoft\internet explorer\main\featurecontrol\FEATURE_BROWSER_EMULATION	value_name = ping.exe, data = 8888	1	Fn
WRITE_VALUE	HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings	value_name = maxhttpredirects, data = 9999	1	Fn
WRITE_VALUE	HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings	value_name = enablehttp1_1, data = 1	1	Fn
WRITE_VALUE	HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zones\3	value_name = currentlevel, data = 0	1	Fn
WRITE_VALUE	HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zones\3	value_name = 1601, data = 0	1	Fn
WRITE_VALUE	HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zones\3	value_name = 1400, data = 0	1	Fn
WRITE_VALUE	HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zones\3	value_name = 1A10, data = 0	1	Fn
WRITE_VALUE	HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zones\3	value_name = {AEBA21FA-782A-4A90-978D-B72164C80120}	1	Fn Data
WRITE_VALUE	HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zones\3	value_name = {A8A88C49-5EB2-4990-A1A2-0876022C854F}	1	Fn Data
WRITE_VALUE	HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zones\3	value_name = 1001, data = 0	1	Fn
WRITE_VALUE	HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zones\3	value_name = 1200, data = 0	1	Fn
WRITE_VALUE	HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zones\3	value_name = 1208, data = 0	1	Fn
WRITE_VALUE	HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zones\3	value_name = 1209, data = 0	1	Fn
WRITE_VALUE	HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zones\3	value_name = 1405, data = 0	1	Fn
WRITE_VALUE	HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zones\3	value_name = 2000, data = 0	1	Fn
WRITE_VALUE	HKEY_CURRENT_USER\software\microsoft\internet explorer\international	value_name = acceptlanguage, data = en-us	1	Fn

System (35)

Operation	Information	Count	Logfile
SLEEP	duration = 600000 milliseconds (600.000 seconds)	1	Fn
SLEEP	duration = 1000 milliseconds (1.000 seconds)	29	Fn
SLEEP	duration = 10000 milliseconds (10.000 seconds)	3	Fn
GET_INFO	type = SYSTEM_PROCESS_INFORMATION	2	Fn

Mutex (16)

Operation	Name	Additional Information	Count	Logfile
CREATE	Global\D6E9C81C-3831-4873-96BA-7C98D2DEBEF9	initial_owner = 0	1	Fn
CREATE	Global\C3819288-93FA-4E29-A254-BD9476B53C20	initial_owner = 0	1	Fn
CREATE	Global\6C29A0C8-62C6-415C-9538-B87690BC58D2	initial_owner = 0	1	Fn
RELEASE	Global\C3819288-93FA-4E29-A254-BD9476B53C20		13	Fn

Ini (13)

Operation	Filename	Additional Information	Count	Logfile
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = cmd, key_name = bsh, default_value = noname, data_out = noname	2	Fn
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = main, key_name = aid, default_value = 10000, data_out = 66671	1	Fn
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = main, key_name = sid, default_value = 0, data_out = 0	1	Fn
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = main, key_name = version, default_value = 0.0, data_out = 0.03	1	Fn
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = main, key_name = installdate, default_value = 0, data_out = 6.12.2016 9:36:14	1	Fn
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = main, key_name = builddate, default_value = 0, data_out = 351	1	Fn
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = main, key_name = rnd, default_value = *, data_out = 2040373303	1	Fn
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = cmd, key_name = nuh, default_value = 0	1	Fn
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = cmd, key_name = dlc_srand, default_value = 0	1	Fn
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = cmd, key_name = ns_conf, default_value = 3	1	Fn
READ	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = cmd, key_name = csrv, default_value = , data_out =	1	Fn
WRITE	\\?\globalroot\device\000001a9\0d24eb7c\cfg.ini	section_name = cmd, key_name = version, data = 0.31	1	Fn

Network Behavior

HTTP Session (1)

Remote Address	Remote Port	Username	Password	Success	Count
6zrt3vuwf-39qwkam.com	80				1

HTTP Request (1)

Method	URL	Success	Count
GET	http://6zrt3vuwf-39qwkam.com/evh0yGtD7e5QO1U4Y2xrPTMuNyZiaWQ9bm9uYW1lJmFpZD02NjY3MSZzaWQ9MCZyZD0xNDgxMDE2OTc037x		1

DNS (1)

Operation	Host	Additional Information	Success	Count	Logfile
RESOLVE_NAME	127.0.0.1			1	Fn

ICMP (29)

Operation	Host	Additional Information	Success	Count	Logfile
SEND	127.0.0.1	source_address = 0.0.0.0, timeout = 4000		29	Fn

TCP Outgoing Connection (1)

Remote Address	Remote Port	L7Protocol	Success	Count
6zrt3vuwf-39qwkam.com	80	http		1

Process #29: spoolsv.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#29 / 0x514
OS Parent PID	0x1d4 (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\spoolsv.exe
Command Line	C:\Windows\System32\spoolsv.exe
Monitor	Start Time: 00:01:35, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:35
OS Thread IDs	# 317 0x 518 # 329 0x 54C # 332 0x 558 # 333 0x 55C # 336 0x 568 # 347 0x 598

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000030000	0x00030000	0x0006ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00073fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000080000	0x00080000	0x00080fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x00000000000a0000	0x000a0000	0x000affff	Pagefile Backed Memory	Readable, Writable	Region Actions
locale.nls	0x000b0000	0x00116fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00126fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000130000	0x00130000	0x00131fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000140000	0x00140000	0x00140fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x0017ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000180000	0x00180000	0x0027ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000280000	0x00280000	0x0037ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000380000	0x00380000	0x00507fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000510000	0x00510000	0x00690fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006a0000	0x006a0000	0x01a9ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001aa0000	0x01aa0000	0x01e92fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001ec0000	0x01ec0000	0x01efffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f70000	0x01f70000	0x01feffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002040000	0x02040000	0x020bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002120000	0x02120000	0x0215ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002160000	0x02160000	0x0219ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000021f0000	0x021f0000	0x0222ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x022e0000	0x025aefff	Memory Mapped File	Readable	Region Actions
private_0x0000000002760000	0x02760000	0x027dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029b0000	0x029b0000	0x029bffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
spoolsv.exe	0xffe60000	0xffeebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb740000	0x7fefb74afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x7fefcb90000	0x7fefcbbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefd060000	0x7fefd069fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x7fefd2b0000	0x7fefd30afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd490000	0x7fefd4a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefda00000	0x7fefda0afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefda60000	0x7fefda84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefdb40000	0x7fefdb53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefddc0000	0x7fefddf5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefde70000	0x7fefde89fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feff1e0000	0x7feff22cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7feff310000	0x7feff4e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feffce0000	0x7feffce7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\System32\spoolsv.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #30: conhost.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#30 / 0x524
OS Parent PID	0x144 (c:\windows\system32\csrss.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\conhost.exe
Command Line	\??\C:\Windows\system32\conhost.exe
Monitor	Start Time: 00:01:36, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:34
OS Thread IDs	# 322 0x 528 # 328 0x 544 # 337 0x 56C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000030000	0x00030000	0x0006ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000080000	0x00080000	0x0008ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
locale.nls	0x00090000	0x000f6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x001bffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x001c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001d0000	0x001d0000	0x001d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
conhost.exe.mui	0x001e0000	0x001e0fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x001f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000200000	0x00200000	0x00200fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x0032ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000330000	0x00330000	0x004b7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000004c0000	0x004c0000	0x00640fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000690000	0x00690000	0x0069ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000006a0000	0x006a0000	0x0079ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000940000	0x00940000	0x009bffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x009c0000	0x00c8efff	Memory Mapped File	Readable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
conhost.exe	0xff3b0000	0xff406fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\system32\conhost.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #31: dllhost.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#31 / 0x534
OS Parent PID	0x250 (c:\windows\system32\svchost.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\dllhost.exe
Command Line	C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Monitor	Start Time: 00:01:36, Reason: Child Process
Unmonitor	End Time: 00:01:49, Reason: Terminated
Monitor Duration	00:00:13
OS Thread IDs	# 325 0x 538 # 335 0x 560 # 338 0x 570 # 343 0x 588 # 344 0x 58C # 345 0x 590 # 355 0x 5BC # 390 0x 644

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x00010fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00020fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000040000	0x00040000	0x00040fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x0005ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
locale.nls	0x00060000	0x000c6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00101fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000110000	0x00110000	0x00116fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00121fff	Pagefile Backed Memory	Readable	Region Actions
{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000009.db	0x00130000	0x00145fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000150000	0x00150000	0x00150fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000160000	0x00160000	0x00161fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x002affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000350000	0x00350000	0x0044ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000450000	0x00450000	0x0054ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000550000	0x00550000	0x0055ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000560000	0x00560000	0x006e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006f0000	0x006f0000	0x00870fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000880000	0x00880000	0x01c7ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001d50000	0x01d50000	0x01dcffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001dd0000	0x01dd0000	0x01eaefff	Pagefile Backed Memory	Readable	Region Actions
SortDefault.nls	0x01ef0000	0x021befff	Memory Mapped File	Readable	Region Actions
private_0x0000000002270000	0x02270000	0x0236ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023c0000	0x023c0000	0x024bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000025b0000	0x025b0000	0x026affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000026b0000	0x026b0000	0x027affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002810000	0x02810000	0x0281ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002840000	0x02840000	0x0293ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002990000	0x02990000	0x02a8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002bb0000	0x02bb0000	0x02c2ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002c30000	0x02c30000	0x03022fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000030a0000	0x030a0000	0x0319ffff	Private Memory	Readable, Writable	Region Actions
ksuser.dll	0x743b0000	0x743b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
dllhost.exe	0xff710000	0xff716fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
PhotoMetadataHandler.dll	0x7fef93c0000	0x7fef942afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mf.dll	0x7fef9870000	0x7fef9c60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mfplat.dll	0x7fef9f20000	0x7fef9f8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefa120000	0x7fefa1bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
thumbcache.dll	0x7fefa430000	0x7fefa44efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
actxprxy.dll	0x7fefaaa0000	0x7fefab8dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x7fefb350000	0x7fefb3a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb8e0000	0x7fefb8f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefbb30000	0x7fefbb5cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
avrt.dll	0x7fefbb60000	0x7fefbb68fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WindowsCodecs.dll	0x7fefbf20000	0x7fefc049fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc4c0000	0x7fefc515fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc520000	0x7fefc64bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefc6a0000	0x7fefc893fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcd60000	0x7fefcd6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd190000	0x7fefd1d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd490000	0x7fefd4a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefdb40000	0x7fefdb53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefddc0000	0x7fefddf5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefde70000	0x7fefde89fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7fefdf70000	0x7fefecf7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feff1e0000	0x7feff22cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7feff310000	0x7feff4e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff570000	0x7feff608fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x7feff680000	0x7feff6d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feffce0000	0x7feffce7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\system32\DllHost.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #32: taskhost.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#32 / 0x578
OS Parent PID	0x1d4 (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\taskhost.exe
Command Line	"taskhost.exe"
Monitor	Start Time: 00:01:37, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:33
OS Thread IDs	# 340 0x 57C # 354 0x 5B8 # 359 0x 5CC # 361 0x 5D4 # 363 0x 5DC # 364 0x 5E0 # 371 0x 600 # 374 0x 608 # 428 0x 6E4 # 429 0x 6E8 # 430 0x 6EC # 489 0x 7E0 # 524 0x 460 # 525 0x 528

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x00010fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00020fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000040000	0x00040000	0x00040fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x0005ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
locale.nls	0x00060000	0x000c6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000d0000	0x000d0000	0x001cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001d0000	0x001d0000	0x001d6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001e0000	0x001e0000	0x001e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x00270fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000280000	0x00280000	0x00280fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000290000	0x00290000	0x0036efff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000370000	0x00370000	0x00371fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000380000	0x00380000	0x00382fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003d0000	0x003d0000	0x003dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000420000	0x00420000	0x0051ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000520000	0x00520000	0x006a7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006b0000	0x006b0000	0x00830fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000840000	0x00840000	0x01c3ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001c40000	0x01c40000	0x02032fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002090000	0x02090000	0x0210ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002140000	0x02140000	0x021bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002250000	0x02250000	0x022cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002330000	0x02330000	0x023affff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x023e0000	0x026aefff	Memory Mapped File	Readable	Region Actions
private_0x00000000026f0000	0x026f0000	0x0276ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002770000	0x02770000	0x027effff	Private Memory	Readable, Writable	Region Actions
KernelBase.dll.mui	0x02770000	0x0282ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000002830000	0x02830000	0x028affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000028f0000	0x028f0000	0x0296ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002930000	0x02930000	0x029affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029b0000	0x029b0000	0x02a2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a40000	0x02a40000	0x02abffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ac0000	0x02ac0000	0x02b3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b50000	0x02b50000	0x02bcffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002bf0000	0x02bf0000	0x02c6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c70000	0x02c70000	0x02c7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002cb0000	0x02cb0000	0x02d2ffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
taskhost.exe	0xff250000	0xff263fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
CertEnroll.dll	0x7fef6a50000	0x7fef6c35fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
certcli.dll	0x7fef6c40000	0x7fef6cb3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
npmproxy.dll	0x7fef7a80000	0x7fef7a8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netprofm.dll	0x7fef7d50000	0x7fef7dc3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pautoenr.dll	0x7fef9890000	0x7fef989ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dimsjob.dll	0x7fef98a0000	0x7fef98adfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msutb.dll	0x7fef9e30000	0x7fef9e6cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
PlaySndSrv.dll	0x7fefb5c0000	0x7fefb5d7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x7fefb620000	0x7fefb65afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb740000	0x7fefb74afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskschd.dll	0x7fefb7b0000	0x7fefb8d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb8e0000	0x7fefb8f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x7fefb940000	0x7fefb954fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
HotStartUserAgent.dll	0x7fefbc20000	0x7fefbc2afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
MsCtfMonitor.dll	0x7fefbde0000	0x7fefbdeafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefbef0000	0x7fefbf00fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefc090000	0x7fefc0a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc4c0000	0x7fefc515fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd190000	0x7fefd1d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd490000	0x7fefd4a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefda60000	0x7fefda84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefdb40000	0x7fefdb53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefdb60000	0x7fefdb9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff570000	0x7feff608fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x7feff680000	0x7feff6d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feffce0000	0x7feffce7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\system32\taskhost.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #33: svchost.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#33 / 0x5b0
OS Parent PID	0x1d4 (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
Monitor	Start Time: 00:01:37, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:33
OS Thread IDs	# 353 0x 5B4 # 358 0x 5C8 # 365 0x 5E4 # 368 0x 5F0 # 369 0x 5F4 # 372 0x 604 # 381 0x 620 # 384 0x 62C # 386 0x 634 # 387 0x 638 # 401 0x 670 # 403 0x 678 # 408 0x 68C # 417 0x 6B8 # 420 0x 6C4 # 421 0x 6C8 # 422 0x 6CC # 423 0x 6D0 # 471 0x 798 # 476 0x 7AC # 480 0x 7BC # 481 0x 7C0 # 483 0x 7C8 # 484 0x 7CC # 485 0x 7D0 # 521 0x 214

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
FirewallAPI.dll.mui	0x00010000	0x0002bfff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x0006ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00076fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000080000	0x00080000	0x00081fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000a0000	0x000a0000	0x000a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000b0000	0x000b0000	0x000b0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00150000	0x001b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x0027ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000280000	0x00280000	0x0037ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000380000	0x00380000	0x0047ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000480000	0x00480000	0x00480fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000490000	0x00490000	0x00497fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004a0000	0x004a0000	0x004a1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000004c0000	0x004c0000	0x004cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004d0000	0x004d0000	0x00657fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000660000	0x00660000	0x007e0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007f0000	0x007f0000	0x00be2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c60000	0x00c60000	0x00cdffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d20000	0x00d20000	0x00d9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000da0000	0x00da0000	0x00e1ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00e20000	0x010eefff	Memory Mapped File	Readable	Region Actions
private_0x0000000001110000	0x01110000	0x0118ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011a0000	0x011a0000	0x0121ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001240000	0x01240000	0x012bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000012b0000	0x012b0000	0x0132ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001350000	0x01350000	0x013cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001430000	0x01430000	0x014affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014c0000	0x014c0000	0x0153ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001540000	0x01540000	0x015bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001580000	0x01580000	0x015fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001640000	0x01640000	0x016bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016d0000	0x016d0000	0x0174ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001760000	0x01760000	0x017dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001780000	0x01780000	0x017fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001800000	0x01800000	0x0187ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001890000	0x01890000	0x0190ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001930000	0x01930000	0x019affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000019f0000	0x019f0000	0x01a6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a70000	0x01a70000	0x01aeffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b00000	0x01b00000	0x01b7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b80000	0x01b80000	0x01c7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c80000	0x01c80000	0x01d7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001de0000	0x01de0000	0x01e5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e80000	0x01e80000	0x01efffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002010000	0x02010000	0x0208ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002090000	0x02090000	0x0228ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023d0000	0x023d0000	0x024effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024f0000	0x024f0000	0x026f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002740000	0x02740000	0x027bffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xff1c0000	0xff1cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wdiasqmmodule.dll	0x7fef7960000	0x7fef796cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
radardt.dll	0x7fef7970000	0x7fef798cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pnpts.dll	0x7fef7990000	0x7fef7997fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
diagperf.dll	0x7fef7b20000	0x7fef7c69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wdi.dll	0x7fef7c70000	0x7fef7c88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wfapigp.dll	0x7fef8ce0000	0x7fef8ce9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dps.dll	0x7fef8d80000	0x7fef8dabfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
MPSSVC.dll	0x7fef9c70000	0x7fef9d3dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
BFE.DLL	0x7fef9e70000	0x7fef9f1ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x7fefac70000	0x7fefac87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc6.dll	0x7fefac90000	0x7fefaca0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FWPUCLNT.DLL	0x7fefacc0000	0x7fefad12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb680000	0x7fefb68afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IPHLPAPI.DLL	0x7fefb690000	0x7fefb6b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb740000	0x7fefb74afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskschd.dll	0x7fefb7b0000	0x7fefb8d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefbb30000	0x7fefbb5cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefbef0000	0x7fefbf00fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcd60000	0x7fefcd6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FirewallAPI.dll	0x7fefcd70000	0x7fefce2afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WSHTCPIP.DLL	0x7fefce30000	0x7fefce36fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcwum.dll	0x7fefcef0000	0x7fefcefcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7fefcf30000	0x7fefcf4afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefcf50000	0x7fefcf6dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefd060000	0x7fefd069fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd420000	0x7fefd426fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd430000	0x7fefd484fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd490000	0x7fefd4a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
authz.dll	0x7fefd660000	0x7fefd68efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefda00000	0x7fefda0afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefda60000	0x7fefda84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefdb40000	0x7fefdb53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefdba0000	0x7fefdbaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefddc0000	0x7fefddf5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feff1e0000	0x7feff22cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff570000	0x7feff608fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x7feff680000	0x7feff6d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feffce0000	0x7feffce7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff92000	0x7fffff92000	0x7fffff93fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff94000	0x7fffff94000	0x7fffff95fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff96000	0x7fffff96000	0x7fffff97fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff98000	0x7fffff98000	0x7fffff99fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9a000	0x7fffff9a000	0x7fffff9bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\system32\svchost.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #34: jusched.exe

(Host: 215, Network: 0)

Information	Value
ID / OS PID	#34 / 0x5f8
OS Parent PID	0x4d0 (c:\windows\syswow64\runonce.exe)
Initial Working Directory	C:\Windows\SysWOW64
File Name	c:\program files (x86)\common files\java\java update\jusched.exe
Command Line	"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
Monitor	Start Time: 00:01:39, Reason: Child Process
Unmonitor	End Time: 00:01:42, Reason: Terminated
Monitor Duration	00:00:03
OS Thread IDs	# 370 0x 5FC # 406 0x 684

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x0007ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0010ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00110000	0x00176fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001a0000	0x001a0000	0x0021ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x0032ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000340000	0x00340000	0x0037ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003c0000	0x003c0000	0x004bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005e0000	0x005e0000	0x005effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000610000	0x00610000	0x0061ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000620000	0x00620000	0x007a7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007b0000	0x007b0000	0x00930fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000b00000	0x00b00000	0x00b3ffff	Private Memory	Readable, Writable	Region Actions
jusched.exe	0x00e80000	0x00f14fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000f20000	0x00f20000	0x0231ffff	Pagefile Backed Memory	Readable	Region Actions
SortDefault.nls	0x02320000	0x025eefff	Memory Mapped File	Readable	Region Actions
wow64cpu.dll	0x74560000	0x74567fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74570000	0x745cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x745d0000	0x7460efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msi.dll	0x75490000	0x756cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x758e0000	0x7595ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x75960000	0x75968fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75980000	0x7598bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75990000	0x759effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75a80000	0x75b7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75b80000	0x75c9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x75ca0000	0x75d3cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75d60000	0x75ebbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75ec0000	0x75fb4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75fc0000	0x7606bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76210000	0x76266fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76300000	0x7640ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x764d0000	0x764dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76510000	0x765fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76600000	0x76609fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x76610000	0x77259fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x772d0000	0x7736ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77370000	0x77388fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x77390000	0x7741ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77420000	0x7747ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x77480000	0x774c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x77510000	0x7770afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x77710000	0x777dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x777e0000	0x77915fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x77920000	0x77949fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x77950000	0x779defff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077a30000	0x77a30000	0x77b4efff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000077b50000	0x77b50000	0x77c49fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77e30000	0x77faffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

Process (1)

Operation	Process Name	Additional Information	Success	Count	Logfile
GET_INFO	c:\windows\syswow64\ping.exe	os_pid = 0x50c		1	Fn

Module (212)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32.DLL	base_address = 0x76300000	2	Fn
LOAD	ADVAPI32.dll	base_address = 0x772d0000	2	Fn
LOAD	imagehlp.dll	base_address = 0x77920000	2	Fn
LOAD	ntdll.dll	base_address = 0x77e30000	2	Fn
LOAD	ole32.dll	base_address = 0x75d60000	2	Fn
LOAD	SHELL32.dll	base_address = 0x76610000	2	Fn
LOAD	SHLWAPI.dll	base_address = 0x76210000	2	Fn
LOAD	USER32.dll	base_address = 0x75a80000	2	Fn
LOAD	WININET.dll	base_address = 0x75ec0000	2	Fn
GET_HANDLE	c:\windows\syswow64\kernel32.dll	base_address = 0x76300000	1	Fn
GET_FILENAME	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	address = 0x763210b5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LoadLibraryA, address = 0x763149d7	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address = 0x76311222	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualProtect, address = 0x7631435f	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address = 0x76311856	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address = 0x7631186e	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = SetSecurityInfo, address = 0x772d9edf	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x779283f7	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = atol, address = 0x77e7d300	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ole32.dll	function = CoUninitialize, address = 0x75da86d3	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shell32.dll	function = SHGetSpecialFolderPathA, address = 0x7685fb26	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = StrStrA, address = 0x7623c45b	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetTimer, address = 0x75a979fb	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address = 0x75eef18e	2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetEndOfFile, address = 0x7632ce2e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetEvent, address = 0x763116c5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address = 0x763111f8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SuspendThread, address = 0x76337d7e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = OpenThread, address = 0x76321248	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SystemTimeToFileTime, address = 0x76315a7e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetVersionExA, address = 0x76313519	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoA, address = 0x7632d5e5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address = 0x76311809	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetWindowsDirectoryA, address = 0x76332b0a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WinExec, address = 0x76392c21	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCommandLineA, address = 0x763151a1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x763187c9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LocalFree, address = 0x76312d3c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetWaitableTimer, address = 0x7633bb2f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateWaitableTimerA, address = 0x76394c24	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateThread, address = 0x763134d5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CopyFileA, address = 0x763358e5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FileTimeToSystemTime, address = 0x7631542c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = UnmapViewOfFile, address = 0x76311826	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = MapViewOfFile, address = 0x763118f1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateFileMappingA, address = 0x76315506	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleA, address = 0x76311245	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = RemoveDirectoryA, address = 0x763944bf	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = DeleteFileA, address = 0x76315444	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryA, address = 0x7633d526	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetTempPathA, address = 0x7633276c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x76313509	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetThreadPriority, address = 0x763132bb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address = 0x7631170d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address = 0x7631192e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address = 0x7631110c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentThreadId, address = 0x76311450	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetSystemInfo, address = 0x763149ca	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = QueueUserWorkItem, address = 0x7632ca80	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = Sleep, address = 0x763110ff	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address = 0x7632d802	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = ResumeThread, address = 0x763143ef	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetThreadContext, address = 0x76395393	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetThreadContext, address = 0x763379d4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WriteProcessMemory, address = 0x7632d9e0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualAllocEx, address = 0x7632d9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateProcessA, address = 0x76311072	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualFreeEx, address = 0x7632d9c8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address = 0x76317a10	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FindClose, address = 0x76314442	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FindNextFileA, address = 0x7633d53e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FindFirstFileA, address = 0x7631e2ce	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address = 0x763117d1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameA, address = 0x763114b1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address = 0x77e52270	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address = 0x77e522b0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSection, address = 0x77e62c42	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address = 0x7631469b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WriteFile, address = 0x76311282	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = ReadFile, address = 0x76313ed3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address = 0x76311410	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetFileSize, address = 0x7631196e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateFileA, address = 0x763153c6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x7638a0b5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetPrivateProfileIntA, address = 0x7633cdd7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetPrivateProfileStringA, address = 0x7632184c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WritePrivateProfileStringA, address = 0x76337048	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapCreate, address = 0x76314a2d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapDestroy, address = 0x763135b7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address = 0x77e5e026	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address = 0x77e71f6e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapFree, address = 0x763114c9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateMutexA, address = 0x76314c6b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetLastError, address = 0x763111c0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address = 0x76311136	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = ReleaseMutex, address = 0x7631111e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x772e1f59	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x772e4608	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = CreateProcessAsUserA, address = 0x77312538	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = AdjustTokenPrivileges, address = 0x772e418e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = LookupPrivilegeValueA, address = 0x772e404a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = OpenProcessToken, address = 0x772e4304	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77e4fda0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwSetInformationToken, address = 0x77e51a78	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwDuplicateToken, address = 0x77e4fec8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwClose, address = 0x77e4f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77e4feb0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwOpenProcessToken, address = 0x77e510b0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = qsort, address = 0x77f05191	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = swprintf, address = 0x77f0550d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _wcsnicmp, address = 0x77e5f63b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _wcsicmp, address = 0x77e69337	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strstr, address = 0x77eac780	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = sprintf, address = 0x77f053c3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strncat, address = 0x77eac570	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strchr, address = 0x77e69c70	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strrchr, address = 0x77eac700	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ispunct, address = 0x77f043f3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = isalnum, address = 0x77f04418	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strncpy, address = 0x77ea5c30	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlComputeCrc32, address = 0x77eeffc1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _snprintf, address = 0x77f04760	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77e5e7f3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _stricmp, address = 0x77e6c7b9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _snwprintf, address = 0x77e62417	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = sscanf, address = 0x77f054a7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77e4fb48	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77e4fab0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlImageNtHeader, address = 0x77e63164	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77e5f546	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = ZwContinue, address = 0x77e4fee0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlInsertElementGenericTable, address = 0x77e7939a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlDeleteElementGenericTable, address = 0x77e7a168	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlLookupElementGenericTable, address = 0x77e7a104	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlRandom, address = 0x77ef98c3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strpbrk, address = 0x77eac6c0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = strncmp, address = 0x77e92f65	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _strnicmp, address = 0x77e8c27c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _strlwr, address = 0x77f04a48	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77e7c4ca	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlInitializeGenericTable, address = 0x77e6ff97	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = RtlEnumerateGenericTable, address = 0x77ef2a56	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = memset, address = 0x77e5df20	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = memcpy, address = 0x77e52340	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = atoi, address = 0x77e7d2f3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = _allmul, address = 0x77e72760	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ole32.dll	function = CoInitializeEx, address = 0x75da09ad	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ole32.dll	function = CoCreateInstance, address = 0x75da9d0b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathMatchSpecA, address = 0x7624af13	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathRemoveBackslashA, address = 0x76248d1a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionA, address = 0x7623eced	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = SHGetValueA, address = 0x7621cf09	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = SHEnumKeyExA, address = 0x7624fdb6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = SHSetValueA, address = 0x7624b0ef	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathFindFileNameA, address = 0x762200aa	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = StrStrIW, address = 0x762246e9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsA, address = 0x7624ad1a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathAppendA, address = 0x7621d65e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7623e20b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathAddBackslashA, address = 0x7621cf33	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = StrStrIA, address = 0x7621d250	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = DestroyWindow, address = 0x75a99a55	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetClientRect, address = 0x75aa0c62	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = ChildWindowFromPoint, address = 0x75ad8cf0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = ClientToScreen, address = 0x75aa2606	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = ScreenToClient, address = 0x75aa227d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = PostMessageW, address = 0x75aa12a5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = CreateWindowExW, address = 0x75a98a29	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetMessageW, address = 0x75a978e2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = TranslateMessage, address = 0x75a97809	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = DispatchMessageW, address = 0x75a9787b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = KillTimer, address = 0x75a979db	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetWindowLongW, address = 0x75a98332	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetWindowLongW, address = 0x75a96ffe	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = PostQuitMessage, address = 0x75a99abb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = DefWindowProcW, address = 0x77e625dd	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = FindWindowW, address = 0x75a998fd	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = ExitWindowsEx, address = 0x75ae1497	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = RegisterClassExW, address = 0x75a9b17d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetSystemMetrics, address = 0x75a97d2f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address = 0x75edab49	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetConnectA, address = 0x75ee49e9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = HttpOpenRequestA, address = 0x75ee4c7d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = HttpSendRequestA, address = 0x75f518f8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetQueryOptionW, address = 0x75ed7ed7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetSetOptionW, address = 0x75ed7741	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = HttpQueryInfoW, address = 0x75ee5c75	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address = 0x75edb406	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\wininet.dll	function = InternetCrackUrlA, address = 0x75ecd075	1	Fn

Registry (2)

Operation	Key	Additional Information	Success	Count	Logfile
OPEN_KEY	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem			1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem	value_name = Win31FileSystem, data_ident_out = 0		1	Fn

Process #35: taskhost.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#35 / 0x788
OS Parent PID	0x1d4 (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\taskhost.exe
Command Line	taskhost.exe SYSTEM
Monitor	Start Time: 00:01:48, Reason: Child Process
Unmonitor	End Time: 00:01:55, Reason: Terminated
Monitor Duration	00:00:07
OS Thread IDs	# 511 0x 78C # 522 0x 21C # 523 0x 32C # 526 0x 328 # 527 0x 324 # 528 0x 548 # 529 0x 34C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x00010fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00020fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000040000	0x00040000	0x00040fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x0005ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
locale.nls	0x00060000	0x000c6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d6fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00122fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000170000	0x00170000	0x001effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x002effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002f0000	0x002f0000	0x003effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003f0000	0x003f0000	0x00577fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000580000	0x00580000	0x00700fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000710000	0x00710000	0x007cffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007d0000	0x007d0000	0x00bc2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c10000	0x00c10000	0x00c8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c90000	0x00c90000	0x00d0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d10000	0x00d10000	0x00d8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000de0000	0x00de0000	0x00e5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000eb0000	0x00eb0000	0x00ebffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ec0000	0x00ec0000	0x00f3ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00f60000	0x0122efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001300000	0x01300000	0x0137ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014e0000	0x014e0000	0x0155ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015b0000	0x015b0000	0x0162ffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
taskhost.exe	0xff250000	0xff263fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
CertEnroll.dll	0x7fef69d0000	0x7fef6bb5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
certcli.dll	0x7fef6bc0000	0x7fef6c33fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
npmproxy.dll	0x7fef7a80000	0x7fef7a8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netprofm.dll	0x7fef7d50000	0x7fef7dc3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pautoenr.dll	0x7fef9880000	0x7fef988ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dimsjob.dll	0x7fef98a0000	0x7fef98adfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dsrole.dll	0x7fefb750000	0x7fefb75bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskschd.dll	0x7fefb7b0000	0x7fefb8d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb8e0000	0x7fefb8f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x7fefb940000	0x7fefb954fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd190000	0x7fefd1d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd490000	0x7fefd4a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefda60000	0x7fefda84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefda90000	0x7fefda9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefdb40000	0x7fefdb53fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff570000	0x7feff608fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x7feff680000	0x7feff6d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feffce0000	0x7feffce7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\system32\taskhost.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn

Process #36: dllhost.exe

(Host: 156, Network: 0)

Information	Value
ID / OS PID	#36 / 0x348
OS Parent PID	0x250 (c:\windows\system32\svchost.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\dllhost.exe
Command Line	C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Monitor	Start Time: 00:01:56, Reason: Child Process
Unmonitor	End Time: 00:02:10, Reason: Terminated by Timeout
Monitor Duration	00:00:14
OS Thread IDs	# 534 0x 30C # 536 0x 4B8 # 537 0x 480 # 538 0x 5A0 # 539 0x 5BC # 540 0x 540

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000010000	0x00010000	0x00023fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000040000	0x00040000	0x00040fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x0005ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
locale.nls	0x00060000	0x000c6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x001effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x002effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000360000	0x00360000	0x0045ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000460000	0x00460000	0x005e7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005f0000	0x005f0000	0x005fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000600000	0x00600000	0x00780fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000790000	0x00790000	0x01b8ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001d60000	0x01d60000	0x01ddffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x020c0000	0x0238efff	Memory Mapped File	Readable	Region Actions
kernel32.dll	0x77a30000	0x77b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77b50000	0x77c49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c50000	0x77df8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77e20000	0x77e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
dllhost.exe	0xffd40000	0xffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdc40000	0x7fefdc4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc50000	0x7fefddb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefde00000	0x7fefde6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefed00000	0x7fefed1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefed20000	0x7fefedfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefee00000	0x7fefef77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef80000	0x7feff0a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff1d0000	0x7feff1ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff230000	0x7feff306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff4f0000	0x7feff560fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feff610000	0x7feff676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7feff6e0000	0x7feff938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff940000	0x7feffb42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x7feffb50000	0x7feffb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7feffb70000	0x7feffc38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feffc40000	0x7feffcdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7feffcf0000	0x7feffd1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feffd20000	0x7feffe4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feffe50000	0x7fefff58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7fefff70000	0x7fefff70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

Module (156)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32	base_address = 0x77a30000	1	Fn
LOAD	ntdll.dll	base_address = 0x77c50000	1	Fn
LOAD	WININET.dll	base_address = 0x7fefef80000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x7feff4f0000	1	Fn
LOAD	imagehlp.dll	base_address = 0x7feffb50000	1	Fn
LOAD	PSAPI.DLL	base_address = 0x77e20000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x7fefed20000	1	Fn
LOAD	USER32.dll	base_address = 0x77b50000	1	Fn
LOAD	ole32.dll	base_address = 0x7feff940000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x77a30000	2	Fn
GET_HANDLE	c:\windows\system32\ntdll.dll	base_address = 0x77c50000	1	Fn
GET_HANDLE	c:\windows\system32\wininet.dll	base_address = 0x7fefef80000	1	Fn
GET_HANDLE	c:\windows\system32\shlwapi.dll	base_address = 0x7feff4f0000	1	Fn
GET_HANDLE	c:\windows\system32\imagehlp.dll	base_address = 0x7feffb50000	1	Fn
GET_HANDLE	c:\windows\system32\psapi.dll	base_address = 0x77e20000	1	Fn
GET_HANDLE	c:\windows\system32\advapi32.dll	base_address = 0x7fefed20000	1	Fn
GET_HANDLE	c:\windows\system32\user32.dll	base_address = 0x77b50000	1	Fn
GET_HANDLE	c:\windows\system32\ole32.dll	base_address = 0x7feff940000	1	Fn
GET_FILENAME	C:\Windows\system32\DllHost.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address = 0x77a465e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetProcAddress, address = 0x77a53690	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atol, address = 0x77c565ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetOpenA, address = 0x7fefef99098	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = StrStrIA, address = 0x7feff4f5a1c	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\imagehlp.dll	function = MapFileAndCheckSumA, address = 0x7feffb556ec	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address = 0x77e21268	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address = 0x7fefed28420	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\user32.dll	function = ExitWindowsEx, address = 0x77ba14e0	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\ole32.dll	function = CoCreateInstance, address = 0x7feff967490	2	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualProtect, address = 0x77a32ef0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _strlwr, address = 0x77cd8fb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlTimeToSecondsSince1970, address = 0x77c67c30	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlRandom, address = 0x77cf4a40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageDirectoryEntryToData, address = 0x77c80950	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlImageNtHeader, address = 0x77c7ecb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAllocateVirtualMemory, address = 0x77ca1490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwFreeVirtualMemory, address = 0x77ca14f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sscanf, address = 0x77cda974	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snwprintf, address = 0x77cd8b8c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _stricmp, address = 0x77c8c5ec	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlEqualUnicodeString, address = 0x77ca59a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwQuerySystemInformation, address = 0x77ca1670	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwSetInformationToken, address = 0x77ca2920	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwDuplicateToken, address = 0x77ca1730	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwClose, address = 0x77ca1400	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwAdjustPrivilegesToken, address = 0x77ca1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ZwOpenProcessToken, address = 0x77ca22d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strstr, address = 0x77cdac00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = sprintf, address = 0x77cda738	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncat, address = 0x77c9fc40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strchr, address = 0x77c7c900	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strrchr, address = 0x77cdab0c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = ispunct, address = 0x77cd8620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = isalnum, address = 0x77cd8644	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncpy, address = 0x77c9fec0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = RtlComputeCrc32, address = 0x77c5c7b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = _snprintf, address = 0x77cd8ae0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcmp, address = 0x77c9ea60	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = __chkstk, address = 0x77ca0dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = strncmp, address = 0x77c9fdf0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = atoi, address = 0x77c565e4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memset, address = 0x77ca2ed0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\ntdll.dll	function = memcpy, address = 0x77c9e6d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetReadFile, address = 0x7fefef93914	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpQueryInfoW, address = 0x7fefefb4600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetSetOptionW, address = 0x7fefef8ff20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetQueryOptionW, address = 0x7fefefa1ab8	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpSendRequestA, address = 0x7fefefff600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = HttpOpenRequestA, address = 0x7fefefb3910	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetConnectA, address = 0x7fefefb3130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCloseHandle, address = 0x7fefef95594	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\wininet.dll	function = InternetCrackUrlA, address = 0x7fefefe0b4c	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = SHGetValueA, address = 0x7feff4f4e50	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindFileNameA, address = 0x7feff4f86c4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveBackslashA, address = 0x7feff519e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFindExtensionA, address = 0x7feff51b358	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathFileExistsA, address = 0x7feff51b4d4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathAppendA, address = 0x7feff4f5710	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\shlwapi.dll	function = PathRemoveFileSpecA, address = 0x7feff51bbb4	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileA, address = 0x77a531f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address = 0x77a53560	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetVersionExA, address = 0x77a470c0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address = 0x77a40210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address = 0x77a7bfb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTickCount, address = 0x77a52b00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address = 0x77a51e70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x77a49b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalFree, address = 0x77a447a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetWaitableTimer, address = 0x77a38890	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateWaitableTimerA, address = 0x77a90da0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateThread, address = 0x77a46580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CopyFileA, address = 0x77ac5620	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address = 0x77a53580	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address = 0x77a3e390	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateFileMappingA, address = 0x77a3ead0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = RemoveDirectoryA, address = 0x77a7bdb0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = DeleteFileA, address = 0x77a414e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateDirectoryA, address = 0x77a7c5b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetTempPathA, address = 0x77a92060	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ExitProcess, address = 0x77c740f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x77a43f40	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address = 0x77a47070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenProcess, address = 0x77a4cad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = OpenMutexA, address = 0x77a32ce0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address = 0x77a46f70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = QueueUserWorkItem, address = 0x77a41370	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Sleep, address = 0x77a52b70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = TerminateProcess, address = 0x77a7bca0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ResumeThread, address = 0x77a413a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64SetThreadContext, address = 0x77a7af70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = Wow64GetThreadContext, address = 0x77a7afa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address = 0x77a7bad0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address = 0x77a7bbd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateProcessA, address = 0x77ac8840	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address = 0x77a464a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address = 0x77ca3000	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address = 0x77ca2fc0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapCreate, address = 0x77a470e0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapDestroy, address = 0x77a41490	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapAlloc, address = 0x77ca33a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapReAlloc, address = 0x77c83f20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = HeapFree, address = 0x77a53070	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address = 0x77a467a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = VirtualFree, address = 0x77a41260	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CreateMutexA, address = 0x77a47210	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetLastError, address = 0x77a52dd0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address = 0x77a52b20	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReleaseMutex, address = 0x77a52b90	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address = 0x77ab16b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address = 0x77ab1720	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address = 0x77ab18b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address = 0x77ab1600	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address = 0x77c78100	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = GetFileSize, address = 0x77a3f9d0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = CloseHandle, address = 0x77a52f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = ReadFile, address = 0x77a41500	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = WriteFile, address = 0x77a535a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address = 0x77a7bd70	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address = 0x77a369f0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address = 0x7fefed32040	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address = 0x7fefed31e00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = CreateProcessAsUserA, address = 0x7fefed6a1a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address = 0x7fefed3b9b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address = 0x7fefed21a00	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address = 0x7fefed3bd70	1	Fn