1d4342cf...361f | Grouped Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Riskware, Dropper, Trojan, Ransomware

1d4342cf02142227e7fa3437f4ee06ed4ef3d59a136eb2fb4e657e1bd782361f (SHA256)

symnfa.exe

Windows Exe (x86-32)

Created at 2019-02-27 00:28:00

...

Notifications (2/4)

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.

One or multiple processes crashed. As a result, the analysis results may be incomplete and may not fully represent the behavior of the sample.

The overall sleep time of all monitored processes was truncated from "32 minutes, 5 seconds" to "7 minutes" to reveal dormant functionality.

Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xebc Analysis Target High (Elevated) symnfa.exe "C:\Users\CIiHmnxMn6Ps\Desktop\symnfa.exe" -
#2 0x52c Child Process High (Elevated) mksmd.exe "C:\users\Public\MKSMD.exe" C:\Users\CIiHmnxMn6Ps\Desktop\symnfa.exe #1
#3 0x704 Injection Medium sihost.exe sihost.exe #2
#4 0xc94 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "spooler" /y #2
#5 0x77c Injection Medium taskhostw.exe taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E} #2
#6 0xd48 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y #2
#9 0x7f8 Injection Medium runtimebroker.exe C:\Windows\System32\RuntimeBroker.exe -Embedding #2
#10 0xd34 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#12 0x980 Injection Low shellexperiencehost.exe "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca #2
#13 0x9e4 Injection Low searchui.exe "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca #2
#14 0xd74 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "audioendpointbuilder" /y #6
#15 0xc3c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #10
#16 0xd90 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "spooler" /y #4
#17 0x75c Child Process Medium werfault.exe C:\Windows\system32\WerFault.exe -u -p 1796 -s 1640 #3
#18 0x1f4 Child Process Medium werfault.exe C:\Windows\system32\WerFault.exe -u -p 2432 -s 3164 #12
#19 0x5bc Child Process Medium sihost.exe sihost.exe #3
#20 0xdc4 Child Process Medium werfault.exe C:\Windows\system32\WerFault.exe -u -p 2432 -s 3224 #12
#21 0xde8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#23 0xde0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #21
#24 0x63c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#26 0xf88 Injection Medium svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup #2
#27 0xea4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #24
#28 0xdb4 Child Process Medium werfault.exe C:\Windows\system32\WerFault.exe -u -p 1916 -s 1160 #5
#29 0xe20 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#31 0xf34 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #29
#32 0x910 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#34 0xfa0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #32
#35 0xb80 Child Process Medium werfault.exe C:\Windows\system32\WerFault.exe -u -p 2040 -s 892 #9
#36 0x8a8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#38 0x490 Child Process Medium runtimebroker.exe C:\Windows\System32\RuntimeBroker.exe -Embedding #9
#39 0xee0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #36
#40 0xf00 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#42 0xff8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #40
#43 0x1130 Child Process Medium werfault.exe C:\Windows\system32\WerFault.exe -u -p 3976 -s 900 #26
#44 0x1170 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#46 0x1188 Child Process Medium svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup #26
#47 0x1260 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#48 0x1268 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #44
#50 0x134c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #47
#51 0x1528 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#53 0x1670 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#54 0x1698 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #51
#56 0x176c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #53
#57 0x17f0 Child Process Medium werfault.exe C:\Windows\system32\WerFault.exe -u -p 2532 -s 1012 #13
#58 0x1960 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#60 0x1a54 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #58
#61 0x1bc0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#63 0x1d7c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #61
#64 0x1e74 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#66 0x1e98 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #64
#67 0x1fb4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#69 0x1cfc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #67
#70 0x22f8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#72 0x2404 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #70
#73 0x2418 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#75 0x2438 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #73
#76 0x288c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#78 0x2a74 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #76
#79 0x2ae0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#81 0x2b48 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #79
#82 0x3198 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#84 0x3320 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #82
#85 0x338c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#87 0x373c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #85
#88 0x3ea4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#90 0x402c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#92 0x40a0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #88
#93 0x4434 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #90
#94 0x50b8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#96 0x525c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#98 0x531c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #94
#99 0x53cc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #96
#100 0x576c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#102 0x58dc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#104 0x58f4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #100
#105 0x590c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #102
#106 0x5b1c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#108 0x5bc4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #106
#109 0x5904 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#111 0x5c84 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #109
#112 0x5e50 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#114 0x5eb0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #112
#115 0x5f58 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#117 0x5fa8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #115
#118 0x6498 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#120 0x64d0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #118
#121 0x65a4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#123 0x65f8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #121
#124 0x3f0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#126 0x683c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #124
#127 0x69c0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "samss" /y #2
#129 0x6be4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "samss" /y #127

Behavior Information - Grouped by Category

Process #1: symnfa.exe
39 0
»
Information Value
ID #1
File Name c:\users\ciihmnxmn6ps\desktop\symnfa.exe
Command Line "C:\Users\CIiHmnxMn6Ps\Desktop\symnfa.exe"
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:01:29, Reason: Analysis Target
Unmonitor End Time: 00:01:53, Reason: Self Terminated
Monitor Duration 00:00:24
OS Process Information
»
Information Value
PID 0xebc
Parent PID 0x57c (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EC0
0x EC4
0x 98C
0x A70
0x 54C
0x 87C
0x 910
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000b80000 0x00b80000 0x00b9ffff Private Memory rw True False False -
pagefile_0x0000000000b80000 0x00b80000 0x00b8ffff Pagefile Backed Memory rw True False False -
private_0x0000000000b90000 0x00b90000 0x00b93fff Private Memory rw True False False -
private_0x0000000000ba0000 0x00ba0000 0x00ba0fff Private Memory rw True False False -
pagefile_0x0000000000bb0000 0x00bb0000 0x00bc3fff Pagefile Backed Memory r True False False -
private_0x0000000000bd0000 0x00bd0000 0x00c0ffff Private Memory rw True False False -
private_0x0000000000c10000 0x00c10000 0x00d0ffff Private Memory rw True False False -
pagefile_0x0000000000d10000 0x00d10000 0x00d13fff Pagefile Backed Memory r True False False -
private_0x0000000000d20000 0x00d20000 0x00d21fff Private Memory rw True False False -
private_0x0000000000d30000 0x00d30000 0x00d30fff Private Memory rw True False False -
pagefile_0x0000000000d40000 0x00d40000 0x00d40fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000d50000 0x00d50000 0x00d50fff Pagefile Backed Memory r True False False -
private_0x0000000000d60000 0x00d60000 0x00d6ffff Private Memory rw True False False -
locale.nls 0x00d70000 0x00e2dfff Memory Mapped File r False False False -
private_0x0000000000e30000 0x00e30000 0x00e6ffff Private Memory rw True False False -
pagefile_0x0000000000e70000 0x00e70000 0x00e70fff Pagefile Backed Memory r True False False -
cversions.2.db 0x00e80000 0x00e83fff Memory Mapped File r True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db 0x00e90000 0x00ed2fff Memory Mapped File r True False False -
symnfa.exe 0x00ee0000 0x00f51fff Memory Mapped File rwx True True False
...
private_0x0000000000f60000 0x00f60000 0x0105ffff Private Memory rw True False False -
oleaut32.dll 0x01060000 0x010f0fff Memory Mapped File r False False False -
cversions.2.db 0x01060000 0x01063fff Memory Mapped File r True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0x01070000 0x010fafff Memory Mapped File r True False False -
private_0x0000000001100000 0x01100000 0x011fffff Private Memory rw True False False -
propsys.dll.mui 0x01200000 0x01210fff Memory Mapped File r False False False -
cversions.1.db 0x01220000 0x01223fff Memory Mapped File r True False False -
windows.storage.dll.mui 0x01220000 0x01227fff Memory Mapped File r False False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db 0x01230000 0x01242fff Memory Mapped File r True False False -
pagefile_0x0000000001250000 0x01250000 0x01250fff Pagefile Backed Memory rw True False False -
private_0x0000000001260000 0x01260000 0x0129ffff Private Memory rw True False False -
private_0x00000000012a0000 0x012a0000 0x012dffff Private Memory rw True False False -
private_0x00000000012e0000 0x012e0000 0x0131ffff Private Memory rw True False False -
private_0x0000000001320000 0x01320000 0x0132ffff Private Memory rw True False False -
pagefile_0x0000000001330000 0x01330000 0x014b7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000014c0000 0x014c0000 0x01640fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001650000 0x01650000 0x02a4ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x02a50000 0x02d86fff Memory Mapped File r False False False -
private_0x0000000002d90000 0x02d90000 0x02edffff Private Memory rw True False False -
private_0x0000000002d90000 0x02d90000 0x02e8ffff Private Memory rw True False False -
private_0x0000000002e90000 0x02e90000 0x02ecffff Private Memory rw True False False -
private_0x0000000002ed0000 0x02ed0000 0x02edffff Private Memory rw True False False -
private_0x0000000002ee0000 0x02ee0000 0x02fdffff Private Memory rw True False False -
shell32.dll.mui 0x02fe0000 0x03040fff Memory Mapped File r False False False -
private_0x0000000003050000 0x03050000 0x0314ffff Private Memory rw True False False -
private_0x0000000003150000 0x03150000 0x0324ffff Private Memory rw True False False -
private_0x0000000003250000 0x03250000 0x0328ffff Private Memory rw True False False -
private_0x0000000003290000 0x03290000 0x0338ffff Private Memory rw True False False -
pagefile_0x0000000003390000 0x03390000 0x03390fff Pagefile Backed Memory rw True False False -
private_0x00000000033a0000 0x033a0000 0x033a3fff Private Memory rw True False False -
wow64cpu.dll 0x5baa0000 0x5baa7fff Memory Mapped File rwx False False False -
wow64win.dll 0x5bab0000 0x5bb22fff Memory Mapped File rwx False False False -
wow64.dll 0x5bb30000 0x5bb7efff Memory Mapped File rwx False False False -
iertutil.dll 0x74020000 0x742e0fff Memory Mapped File rwx False False False -
urlmon.dll 0x742f0000 0x7444ffff Memory Mapped File rwx False False False -
rsaenh.dll 0x74450000 0x7447efff Memory Mapped File rwx False False False -
bcrypt.dll 0x74480000 0x7449afff Memory Mapped File rwx False False False -
cryptsp.dll 0x744a0000 0x744b2fff Memory Mapped File rwx False False False -
propsys.dll 0x744c0000 0x74601fff Memory Mapped File rwx False False False -
uxtheme.dll 0x74630000 0x746a4fff Memory Mapped File rwx False False False -
apphelp.dll 0x746b0000 0x74740fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74750000 0x747a8fff Memory Mapped File rwx False False False -
cryptbase.dll 0x747b0000 0x747b9fff Memory Mapped File rwx False False False -
sspicli.dll 0x747c0000 0x747ddfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x74a00000 0x74aabfff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x74ab0000 0x74abbfff Memory Mapped File rwx False False False -
shlwapi.dll 0x74da0000 0x74de3fff Memory Mapped File rwx False False False -
msctf.dll 0x74df0000 0x74f0ffff Memory Mapped File rwx False False False -
imm32.dll 0x74f10000 0x74f3afff Memory Mapped File rwx False False False -
kernel32.dll 0x74f40000 0x7502ffff Memory Mapped File rwx False False False -
gdi32.dll 0x75030000 0x7517cfff Memory Mapped File rwx False False False -
profapi.dll 0x75180000 0x7518efff Memory Mapped File rwx False False False -
kernelbase.dll 0x75190000 0x75305fff Memory Mapped File rwx False False False -
shell32.dll 0x75310000 0x766cefff Memory Mapped File rwx False False False -
windows.storage.dll 0x76790000 0x76c6cfff Memory Mapped File rwx False False False -
user32.dll 0x76c70000 0x76daffff Memory Mapped File rwx False False False -
msvcrt.dll 0x76f20000 0x76fddfff Memory Mapped File rwx False False False -
clbcatq.dll 0x76fe0000 0x77061fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x77080000 0x770b5fff Memory Mapped File rwx False False False -
oleaut32.dll 0x770d0000 0x77161fff Memory Mapped File rwx False False False -
ole32.dll 0x77170000 0x77259fff Memory Mapped File rwx False False False -
powrprof.dll 0x77260000 0x772a3fff Memory Mapped File rwx False False False -
sechost.dll 0x772b0000 0x772f2fff Memory Mapped File rwx False False False -
shcore.dll 0x77300000 0x7738cfff Memory Mapped File rwx False False False -
combase.dll 0x77390000 0x77549fff Memory Mapped File rwx False False False -
advapi32.dll 0x77550000 0x775cafff Memory Mapped File rwx False False False -
ntdll.dll 0x776b0000 0x77828fff Memory Mapped File rwx False False False -
sysmain.sdb 0x7fae0000 0x7fb4cfff Memory Mapped File r False False False -
private_0x000000007fb54000 0x7fb54000 0x7fb56fff Private Memory rw True False False -
private_0x000000007fb57000 0x7fb57000 0x7fb59fff Private Memory rw True False False -
private_0x000000007fb5a000 0x7fb5a000 0x7fb5cfff Private Memory rw True False False -
private_0x000000007fb5d000 0x7fb5d000 0x7fb5ffff Private Memory rw True False False -
pagefile_0x000000007fb60000 0x7fb60000 0x7fc5ffff Pagefile Backed Memory r True False False -
pagefile_0x000000007fc60000 0x7fc60000 0x7fc82fff Pagefile Backed Memory r True False False -
private_0x000000007fc85000 0x7fc85000 0x7fc87fff Private Memory rw True False False -
private_0x000000007fc88000 0x7fc88000 0x7fc8afff Private Memory rw True False False -
private_0x000000007fc8b000 0x7fc8b000 0x7fc8dfff Private Memory rw True False False -
private_0x000000007fc8e000 0x7fc8e000 0x7fc8efff Private Memory rw True False False -
private_0x000000007fc8f000 0x7fc8f000 0x7fc8ffff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7ffc57b4ffff Private Memory r True False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
private_0x00007ffc57d12000 0x7ffc57d12000 0x7ffffffeffff Private Memory r True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\users\Public\MKSMD.exe 203.00 KB MD5: fed812eac63187fd833d77acf11857e2
SHA1: ac1e57c6a7f87ac020fa6c7946a2762fe9a472ff
SHA256: 5c09c6a785461f9004c08455664187a1d6f668aff3bb46ec19a113605cff8933
SSDeep: 1536:yknrSbkoDRU6XSE+puj9kV5PKViOeEG3+U9EgIbsW9d7B9dlq4PQUfy28fZO:Wkoy6CE+46IViyG3+Um19Vw4oUfCZO 		False
...
Host Behavior
File (5)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\MKSMD.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write C:\users\Public\MKSMD.exe size = 207872 True 1
Fn
Data
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\users\Public\MKSMD.exe show_window = SW_HIDE True 1
Fn
Module (27)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x75190000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x75190000 True 2
Fn
Load advapi32 base_address = 0x77550000 True 1
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x75190000 True 1
Fn
Load kernel32.dll base_address = 0x74f40000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x74ab0000 True 1
Fn
Get Handle c:\users\ciihmnxmn6ps\desktop\symnfa.exe base_address = 0xee0000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\symnfa.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\symnfa.exe, size = 260 True 3
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\symnfa.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\symnfa.exe, size = 500 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x75243ae0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x75246530 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x75243770 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = EventRegister, address_out = 0x776e0a90 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = EventSetInformation, address_out = 0x77710a90 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x7523a7b0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = LCMapStringEx, address_out = 0x75233690 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsWow64Process, address_out = 0x74f596e0 True 1
Fn
Get Address c:\windows\syswow64\kernel.appcore.dll function = GetCurrentPackageId, address_out = 0x74ab2c80 True 1
Fn
System (5)
»
Operation Additional Information Success Count Logfile
Sleep duration = 3500 milliseconds (3.500 seconds) True 1
Fn
Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
Get Time type = Ticks, time = 127656 True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #2: mksmd.exe
59698 0
»
Information Value
ID #2
File Name c:\users\public\mksmd.exe
Command Line "C:\users\Public\MKSMD.exe" C:\Users\CIiHmnxMn6Ps\Desktop\symnfa.exe
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:01:49, Reason: Child Process
Unmonitor End Time: 00:05:22, Reason: Terminated by Timeout
Monitor Duration 00:03:33
OS Process Information
»
Information Value
PID 0x52c
Parent PID 0xebc (c:\users\ciihmnxmn6ps\desktop\symnfa.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6B4
0x 564
0x C24
0x C28
0x A5C
0x C2C
0x A10
0x C74
0x C7C
0x D28
0x C88
0x E8C
0x 90C
0x F08
0x F2C
0x EEC
0x E14
0x E10
0x E1C
0x E28
0x F6C
0x FB8
0x F74
0x 628
0x EF4
0x 114
0x F28
0x F24
0x F10
0x F1C
0x FFC
0x F20
0x F30
0x F14
0x F0C
0x C1C
0x FCC
0x FDC
0x FD0
0x FD4
0x FE8
0x DA8
0x DA4
0x DA0
0x D9C
0x D94
0x D98
0x D88
0x 224
0x 304
0x 318
0x 34C
0x 338
0x 320
0x 274
0x 98C
0x FA8
0x 36C
0x F68
0x F60
0x 56C
0x 5E4
0x 578
0x 580
0x 5CC
0x 5D8
0x C18
0x B74
0x F70
0x 46C
0x 950
0x AE0
0x B40
0x 9B8
0x B90
0x BA4
0x 9B4
0x 8E0
0x B60
0x 84C
0x 8D4
0x 958
0x BA8
0x B70
0x BAC
0x 7A4
0x 53C
0x E40
0x 8AC
0x 200
0x 454
0x 7A0
0x 418
0x 718
0x 510
0x F7C
0x F80
0x 3DC
0x F84
0x A30
0x 888
0x AC8
0x C28
0x D28
0x C88
0x C78
0x CBC
0x C70
0x D8C
0x CAC
0x C44
0x C58
0x D58
0x E50
0x E3C
0x E44
0x E4C
0x E5C
0x E60
0x E64
0x D78
0x E48
0x E38
0x 88C
0x ED8
0x EC8
0x 290
0x 470
0x ECC
0x ED0
0x EE4
0x 404
0x 530
0x EF0
0x EF8
0x 234
0x 798
0x 81C
0x 550
0x 554
0x C38
0x A58
0x F40
0x F44
0x F48
0x F54
0x F58
0x F4C
0x F50
0x F3C
0x 2E8
0x F38
0x 378
0x D44
0x D40
0x C80
0x C40
0x 85C
0x 40
0x 60C
0x 4F8
0x C4C
0x C64
0x 900
0x E8C
0x DFC
0x DEC
0x DE4
0x DE0
0x DF8
0x E04
0x E08
0x DE8
0x E18
0x DF0
0x E00
0x D90
0x C94
0x CA8
0x C50
0x C48
0x D4C
0x D54
0x D64
0x CA4
0x C84
0x D74
0x D48
0x C8C
0x B64
0x 3A0
0x 51C
0x 61C
0x 204
0x A84
0x 2BC
0x B24
0x D20
0x 8A0
0x AEC
0x 2F4
0x 270
0x EC
0x C14
0x 90C
0x 7C0
0x EAC
0x EA8
0x EB8
0x EB0
0x E88
0x E9C
0x E84
0x DD0
0x EA4
0x DDC
0x 63C
0x 820
0x A68
0x AE8
0x 7C8
0x 770
0x 76C
0x 7CC
0x 7BC
0x BF8
0x 968
0x 5BC
0x 75C
0x 784
0x DB8
0x 340
0x 434
0x FF4
0x C04
0x 82C
0x 764
0x C98
0x 7D0
0x 93C
0x 940
0x A2C
0x AB0
0x 938
0x 4F0
0x 934
0x DB4
0x F2C
0x C60
0x F78
0x D80
0x F34
0x E20
0x E2C
0x 320
0x EC0
0x FA4
0x EBC
0x A70
0x 54C
0x F64
0x EC4
0x 87C
0x FA0
0x 910
0x FC4
0x E54
0x 65C
0x F9C
0x D24
0x A14
0x A0C
0x A24
0x 9F8
0x B08
0x F5C
0x 150
0x FEC
0x AE8
0x 528
0x 728
0x 610
0x C04
0x 518
0x 490
0x 248
0x AC4
0x A38
0x 384
0x B80
0x 7D4
0x D68
0x 11C
0x 83C
0x C30
0x A1C
0x F04
0x 7B4
0x 854
0x CC0
0x CA0
0x EE0
0x 808
0x 7D8
0x 4D0
0x 774
0x 858
0x 8A8
0x 954
0x 7B0
0x CB0
0x D84
0x E24
0x EFC
0x FF8
0x 780
0x F94
0x F00
0x B7C
0x EE8
0x 790
0x A00
0x 1004
0x 1008
0x 100C
0x 1010
0x 1014
0x 1018
0x 101C
0x 1020
0x 1024
0x 1028
0x 102C
0x 1030
0x 1034
0x 1038
0x 103C
0x 1040
0x 1044
0x 1048
0x 104C
0x 1050
0x 1054
0x 1058
0x 105C
0x 1060
0x 1064
0x 1068
0x 106C
0x 1070
0x 1074
0x 1078
0x 1084
0x 1088
0x 108C
0x 1090
0x 1094
0x 1098
0x 109C
0x 10A0
0x 10A4
0x 10A8
0x 10AC
0x 10B0
0x 10B4
0x 10B8
0x 10BC
0x 10C0
0x 10C4
0x 10C8
0x 10CC
0x 10D0
0x 10D4
0x 10D8
0x 10DC
0x 10E0
0x 10E4
0x 10E8
0x 10EC
0x 10F0
0x 10F4
0x 10F8
0x 10FC
0x 1100
0x 1104
0x 1108
0x 110C
0x 1110
0x 1114
0x 1118
0x 111C
0x 1138
0x 1144
0x 1148
0x 114C
0x 1158
0x 115C
0x 1160
0x 1164
0x 1168
0x 116C
0x 1194
0x 1198
0x 119C
0x 11A0
0x 11A4
0x 11A8
0x 11AC
0x 11B0
0x 11B4
0x 11B8
0x 11BC
0x 11C0
0x 11C4
0x 11C8
0x 11CC
0x 11D0
0x 11D4
0x 11D8
0x 11DC
0x 11E0
0x 11E4
0x 11E8
0x 11EC
0x 11F0
0x 11F4
0x 11F8
0x 11FC
0x 1200
0x 1204
0x 1208
0x 120C
0x 1210
0x 1218
0x 121C
0x 1220
0x 1224
0x 1228
0x 122C
0x 1230
0x 1234
0x 1238
0x 123C
0x 1240
0x 1244
0x 1248
0x 124C
0x 1250
0x 1254
0x 1258
0x 125C
0x 1270
0x 1274
0x 1278
0x 127C
0x 1280
0x 1284
0x 1288
0x 128C
0x 1290
0x 129C
0x 12A0
0x 12A4
0x 12A8
0x 12AC
0x 12B0
0x 12B4
0x 12B8
0x 12C0
0x 12C8
0x 12CC
0x 12D0
0x 12D4
0x 12D8
0x 12DC
0x 12E0
0x 12E4
0x 12E8
0x 12F0
0x 12F4
0x 12FC
0x 1300
0x 1308
0x 130C
0x 131C
0x 1320
0x 1324
0x 1328
0x 132C
0x 1330
0x 1334
0x 133C
0x 1340
0x 1344
0x 1348
0x 1354
0x 1358
0x 135C
0x 1360
0x 1364
0x 1368
0x 136C
0x 1370
0x 1374
0x 1378
0x 137C
0x 1380
0x 1384
0x 1388
0x 138C
0x 1390
0x 1394
0x 1398
0x 139C
0x 13A0
0x 13AC
0x 13B0
0x 13B4
0x 13B8
0x 13BC
0x 13C0
0x 13C4
0x 13C8
0x 13CC
0x 13D0
0x 13D4
0x 13D8
0x 13DC
0x 13E0
0x 13E4
0x 13E8
0x 13EC
0x 13F0
0x 13F4
0x 13F8
0x 13FC
0x 1124
0x 1150
0x 112C
0x 107C
0x 1138
0x 113C
0x 1128
0x 1120
0x 117C
0x 118C
0x 1218
0x 1298
0x B38
0x E80
0x E94
0x 208
0x 1FC
0x 2DC
0x 3D8
0x 344
0x 5E0
0x 8B0
0x 700
0x 584
0x 778
0x 95C
0x 830
0x 6EC
0x 64C
0x 634
0x 6FC
0x 72C
0x 3E4
0x 14C
0x FC
0x E0C
0x 126C
0x 12EC
0x 1338
0x 1268
0x 1174
0x 1184
0x 1214
0x 96C
0x DD4
0x 368
0x B68
0x B18
0x 6A8
0x DC4
0x 998
0x 1170
0x 13A8
0x 1190
0x 1180
0x D6C
0x 984
0x 4F4
0x 9A4
0x 9A8
0x 9AC
0x 1178
0x 994
0x 9A0
0x 9C0
0x 9BC
0x 9C4
0x 9C8
0x 9D0
0x B0C
0x B34
0x B1C
0x 9B0
0x 990
0x B94
0x 99C
0x B98
0x B9C
0x BB0
0x BA0
0x BB4
0x BB8
0x BBC
0x BC0
0x BC4
0x BC8
0x BCC
0x BD0
0x BD4
0x BD8
0x BDC
0x BE0
0x BE4
0x BE8
0x BEC
0x BF0
0x BF4
0x C08
0x BFC
0x C10
0x C20
0x C54
0x D70
0x 2E0
0x 1F4
0x A90
0x 484
0x C68
0x 1350
0x 13A4
0x 1264
0x 12C4
0x 134C
0x 1310
0x 12F8
0x 1260
0x 12BC
0x 1294
0x 69C
0x 5F0
0x 91C
0x AB4
0x 508
0x 464
0x 440
0x D30
0x 2C8
0x B84
0x 45C
0x C6C
0x 424
0x DC8
0x D50
0x 230
0x C9C
0x D5C
0x CB8
0x D38
0x D34
0x EDC
0x 1404
0x 1408
0x 140C
0x 1410
0x 1414
0x 1418
0x 141C
0x 1420
0x 1424
0x 1428
0x 142C
0x 1430
0x 1434
0x 1438
0x 143C
0x 1440
0x 1444
0x 1448
0x 144C
0x 1450
0x 1454
0x 1458
0x 145C
0x 1460
0x 1464
0x 1468
0x 146C
0x 1470
0x 1474
0x 1484
0x 1488
0x 148C
0x 1490
0x 1494
0x 1498
0x 149C
0x 14A0
0x 14A4
0x 14A8
0x 14AC
0x 14B0
0x 14B4
0x 14B8
0x 14BC
0x 14C0
0x 14C4
0x 14C8
0x 14CC
0x 14D0
0x 14D4
0x 14D8
0x 14DC
0x 14E0
0x 14E4
0x 14E8
0x 14EC
0x 14F0
0x 14F4
0x 14F8
0x 14FC
0x 1500
0x 1508
0x 150C
0x 151C
0x 1520
0x 1524
0x 1538
0x 153C
0x 1540
0x 1544
0x 1548
0x 154C
0x 1564
0x 1568
0x 156C
0x 1570
0x 1574
0x 1578
0x 157C
0x 1580
0x 1584
0x 1588
0x 158C
0x 1590
0x 1594
0x 1598
0x 159C
0x 15A0
0x 15A4
0x 15A8
0x 15AC
0x 15B0
0x 15B4
0x 15B8
0x 15BC
0x 15C0
0x 15C4
0x 15C8
0x 15CC
0x 15D0
0x 15D4
0x 15D8
0x 15DC
0x 15E0
0x 15E4
0x 15E8
0x 15EC
0x 15F0
0x 15F4
0x 15F8
0x 15FC
0x 1600
0x 1604
0x 1608
0x 160C
0x 1610
0x 1614
0x 1618
0x 161C
0x 1620
0x 1624
0x 1628
0x 162C
0x 1630
0x 1634
0x 1638
0x 163C
0x 1640
0x 1644
0x 1648
0x 164C
0x 1650
0x 1654
0x 1658
0x 1660
0x 1664
0x 1668
0x 166C
0x 1678
0x 167C
0x 1680
0x 1684
0x 1688
0x 168C
0x 1690
0x 1694
0x 16B0
0x 16B4
0x 16B8
0x 16BC
0x 16C0
0x 16C4
0x 16C8
0x 16CC
0x 16D0
0x 16D4
0x 16D8
0x 16DC
0x 16E0
0x 16E4
0x 16E8
0x 16EC
0x 16F0
0x 16F4
0x 16F8
0x 1700
0x 1704
0x 1708
0x 170C
0x 1710
0x 1714
0x 1718
0x 171C
0x 1720
0x 1724
0x 1728
0x 172C
0x 1734
0x 1738
0x 173C
0x 1740
0x 1744
0x 1748
0x 174C
0x 1750
0x 1758
0x 175C
0x 1760
0x 1764
0x 1768
0x 1774
0x 1778
0x 177C
0x 1780
0x 1784
0x 1788
0x 178C
0x 1790
0x 1794
0x 1798
0x 179C
0x 17A0
0x 17A4
0x 17A8
0x 17AC
0x 17B0
0x 17B4
0x 17B8
0x 17BC
0x 17C0
0x 17C4
0x 17C8
0x 17D0
0x 17D4
0x 17D8
0x 17DC
0x 17E0
0x 17E4
0x 17E8
0x 17EC
0x 17FC
0x A94
0x A34
0x 149C
0x E68
0x 16A4
0x 169C
0x 16FC
0x 152C
0x 1698
0x 1554
0x 165C
0x 1528
0x 1560
0x 1550
0x 1530
0x 17CC
0x 1770
0x 1674
0x 176C
0x 16AC
0x 1754
0x 1670
0x 1730
0x 16A8
0x 16A0
0x FB4
0x 648
0x D1C
0x D18
0x D14
0x D10
0x D0C
0x D08
0x D04
0x 1660
0x D00
0x CFC
0x CF8
0x 1804
0x 1808
0x 180C
0x 1810
0x 1814
0x 1818
0x 181C
0x 1820
0x 1824
0x 1828
0x 182C
0x 1830
0x 1834
0x 1838
0x 183C
0x 1840
0x 1844
0x 1848
0x 184C
0x 1850
0x 1854
0x 1858
0x 185C
0x 1860
0x 1864
0x 1868
0x 186C
0x 1870
0x 1874
0x 1878
0x 187C
0x 1880
0x 1884
0x 1888
0x 188C
0x 1890
0x 1894
0x 1898
0x 189C
0x 18A0
0x 18A4
0x 18A8
0x 18AC
0x 18B0
0x 18B4
0x 18B8
0x 18BC
0x 18C0
0x 18C4
0x 18C8
0x 18CC
0x 18D0
0x 18D4
0x 18D8
0x 18DC
0x 18E0
0x 18E4
0x 18E8
0x 18EC
0x 18F0
0x 18F4
0x 18F8
0x 18FC
0x 1900
0x 1904
0x 1908
0x 190C
0x 1910
0x 1914
0x 1918
0x 191C
0x 1920
0x 1924
0x 1928
0x 192C
0x 1930
0x 1934
0x 1938
0x 1940
0x 1944
0x 1948
0x 194C
0x 1950
0x 1954
0x 1958
0x 195C
0x 1978
0x 197C
0x 1980
0x 1984
0x 1988
0x 198C
0x 1990
0x 1998
0x 199C
0x 19A0
0x 19A4
0x 19A8
0x 19AC
0x 19B0
0x 19B4
0x 19B8
0x 19BC
0x 19C0
0x 19C4
0x 19C8
0x 19CC
0x 19D0
0x 19D4
0x 19D8
0x 19DC
0x 19E0
0x 19E4
0x 19EC
0x 19F0
0x 19F4
0x 19F8
0x 19FC
0x 1A00
0x 1A04
0x 1A08
0x 1A0C
0x 1A10
0x 1A14
0x 1A18
0x 1A1C
0x 1A20
0x 1A24
0x 1A28
0x 1A2C
0x 1A30
0x 1A34
0x 1A38
0x 1A3C
0x 1A40
0x 1A44
0x 1A48
0x 1A4C
0x 1A50
0x 1A5C
0x 1A60
0x 1A64
0x 1A68
0x 1A6C
0x 1A70
0x 1A74
0x 1A78
0x 1A7C
0x 1A80
0x 1A84
0x 1A88
0x 1A8C
0x 1A90
0x 1A94
0x 1A98
0x 1A9C
0x 1AA0
0x 1AA4
0x 1AA8
0x 1AAC
0x 1AB0
0x 1AB4
0x 1AB8
0x 1ABC
0x 1AC0
0x 1AC4
0x 1AC8
0x 1ACC
0x 1AD0
0x 1AD4
0x 1AD8
0x 1ADC
0x 1AE0
0x 1AE4
0x 1AE8
0x 1AEC
0x 1AF0
0x 1AF4
0x 1AF8
0x 1AFC
0x 1B00
0x 1B04
0x 1B08
0x 1B10
0x 1B14
0x 1B18
0x 1B1C
0x 1B20
0x 1B24
0x 1B28
0x 1B2C
0x 1B30
0x 1B34
0x 1B38
0x 1B3C
0x 1B40
0x 1B44
0x 1B48
0x 1B4C
0x 1B50
0x 1B54
0x 1B58
0x 1B5C
0x 1B60
0x 1B64
0x 1B68
0x 1B6C
0x 1B70
0x 1B74
0x 1B78
0x 1B7C
0x 1B80
0x 1B84
0x 1B88
0x 1B8C
0x 1B90
0x 1B94
0x 1B98
0x 1B9C
0x 1BA0
0x 1BA4
0x 1BA8
0x 1BAC
0x 1BB0
0x 1BB4
0x 1BB8
0x 1BC8
0x 1BCC
0x 1BD0
0x 1BD4
0x 1BD8
0x 1BDC
0x 1BE0
0x 1BE4
0x 1BE8
0x 1BEC
0x 1BF0
0x 1BF4
0x 1BF8
0x 1BFC
0x CCC
0x CF4
0x CF0
0x CEC
0x CE0
0x CDC
0x CD8
0x CD4
0x CD0
0x 1518
0x 1514
0x 147C
0x 1504
0x 155C
0x 1480
0x 1478
0x 1950
0x 196C
0x E34
0x 1AF0
0x 1C04
0x 1C08
0x 1C0C
0x 1C10
0x 1C14
0x 1C18
0x 1C1C
0x 1C20
0x 1C24
0x 1C28
0x 1C2C
0x 1C30
0x 1C34
0x 1C38
0x 1C3C
0x 1C40
0x 1C44
0x 1C48
0x 1C4C
0x 1C50
0x 1C58
0x 1C5C
0x 1C60
0x 1C64
0x 1C68
0x 1C6C
0x 1C70
0x 1C74
0x 1C78
0x 1C7C
0x 1C80
0x 1C84
0x 1C88
0x 1C8C
0x 1C90
0x 1C94
0x 1C98
0x 1C9C
0x 1CA0
0x 1CA4
0x 1CA8
0x 1CAC
0x 1CB0
0x 1CB4
0x 1CB8
0x 1CBC
0x 1CC0
0x 1CC4
0x 1CC8
0x 1CCC
0x 1CD0
0x 1CD4
0x 1CD8
0x 1CDC
0x 1CE0
0x 1CE4
0x 1CE8
0x 1CEC
0x 1CF0
0x 1CF4
0x 1CF8
0x 1D00
0x 1D04
0x 1D08
0x 1D0C
0x 1D10
0x 1D14
0x 1D18
0x 1D1C
0x 1D20
0x 1D24
0x 1D28
0x 1D2C
0x 1D30
0x 1D34
0x 1D38
0x 1D3C
0x 1D40
0x 1D44
0x 1D48
0x 1D4C
0x 1D50
0x 1D54
0x 1D58
0x 1D5C
0x 1D60
0x 1D64
0x 1D68
0x 1D6C
0x 1D70
0x 1D74
0x 1D88
0x 1D8C
0x 1D90
0x 1D94
0x 1D98
0x 1D9C
0x 1DA0
0x 1DA4
0x 1DA8
0x 1DAC
0x 1DB0
0x 1DB4
0x 1DBC
0x 1DC0
0x 1DC4
0x 1DC8
0x 1DCC
0x 1DD0
0x 1DD4
0x 1DD8
0x 1DDC
0x 1DE0
0x 1DE4
0x 1DE8
0x 1DEC
0x 1DF0
0x 1DF4
0x 1DF8
0x 1DFC
0x 1E00
0x 1E04
0x 1E0C
0x 1E10
0x 1E14
0x 1E18
0x 1E1C
0x 1E20
0x 1E24
0x 1E28
0x 1E2C
0x 1E30
0x 1E34
0x 1E38
0x 1E3C
0x 1E40
0x 1E44
0x 1E48
0x 1E4C
0x 1E50
0x 1E54
0x 1E58
0x 1E5C
0x 1E60
0x 1E64
0x 1E68
0x 1E70
0x 1EA4
0x 1EA8
0x 1EAC
0x 1EB0
0x 1EB4
0x 1EB8
0x 1EBC
0x 1EC0
0x 1EC4
0x 1EC8
0x 1ECC
0x 1ED0
0x 1ED4
0x 1ED8
0x 1EDC
0x 1EE0
0x 1EE4
0x 1EE8
0x 1EEC
0x 1EF0
0x 1EF4
0x 1EF8
0x 1EFC
0x 1F00
0x 1F04
0x 1F08
0x 1F0C
0x 1F10
0x 1F14
0x 1F18
0x 1F1C
0x 1F20
0x 1F24
0x 1F28
0x 1F2C
0x 1F30
0x 1F34
0x 1F38
0x 1F3C
0x 1F40
0x 1F44
0x 1F48
0x 1F4C
0x 1F50
0x 1F54
0x 1F58
0x 1F5C
0x 1F60
0x 1F64
0x 1F68
0x 1F6C
0x 1F70
0x 1F74
0x 1F78
0x 1F7C
0x 1F80
0x 1F84
0x 1F88
0x 1F8C
0x 1F90
0x 1F98
0x 1F94
0x 1F9C
0x 1FA0
0x 1FA4
0x 1FA8
0x 1FAC
0x 1FB0
0x 1FCC
0x 1FD0
0x 1FD4
0x 1FD8
0x 1FDC
0x 1FE0
0x 1FE4
0x 1FE8
0x 1FEC
0x 1FF0
0x 1FF4
0x 1FF8
0x 1FFC
0x CE4
0x 128
0x 1A58
0x 1BBC
0x 1964
0x 1974
0x 19E8
0x 1D80
0x 1D84
0x 1960
0x 1BC4
0x 1C54
0x 1D7C
0x 1D78
0x 1994
0x 1970
0x CE8
0x 948
0x 193C
0x 420
0x 1E08
0x 1DB8
0x 17F4
0x 1534
0x 1558
0x 1B0C
0x 17F8
0x 8C0
0x 17F0
0x 9E8
0x A88
0x A18
0x A20
0x A28
0x 870
0x 9FC
0x 9F0
0x A04
0x 84
0x A9C
0x AA0
0x AA4
0x AA8
0x AAC
0x AB8
0x ABC
0x AC0
0x AF0
0x AF8
0x AFC
0x B00
0x B04
0x B14
0x B28
0x A08
0x A98
0x 1E70
0x 1E80
0x E70
0x 1E6C
0x FB0
0x FC8
0x FBC
0x 1E94
0x 5C0
0x 1E9C
0x FAC
0x 1EA0
0x 1E78
0x 1E88
0x 1E98
0x 1E90
0x 1E8C
0x 1E84
0x 1E74
0x 1E7C
0x 1F98
0x 1FC0
0x EA0
0x 1968
0x 1510
0x 1FB8
0x 1FC8
0x 1BC0
0x 8CC
0x 1A54
0x 1FC4
0x 1CFC
0x 1FB4
0x 1FBC
0x DBC
0x FD8
0x ED4
0x 2004
0x 2008
0x 200C
0x 2010
0x 2014
0x 2018
0x 201C
0x 2020
0x 2024
0x 2028
0x 202C
0x 2030
0x 2034
0x 2038
0x 203C
0x 2040
0x 2044
0x 2048
0x 204C
0x 2050
0x 2054
0x 2058
0x 205C
0x 2060
0x 2064
0x 2068
0x 206C
0x 2070
0x 2074
0x 2078
0x 207C
0x 2080
0x 2084
0x 2088
0x 208C
0x 2090
0x 2094
0x 2098
0x 209C
0x 20A0
0x 20A4
0x 20A8
0x 20AC
0x 20B0
0x 20B4
0x 20B8
0x 20BC
0x 20C0
0x 20C4
0x 20C8
0x 20CC
0x 20D0
0x 20D4
0x 20D8
0x 20DC
0x 20E0
0x 20E4
0x 20E8
0x 20EC
0x 20F0
0x 20F4
0x 20F8
0x 20FC
0x 2100
0x 2104
0x 2108
0x 210C
0x 2110
0x 2114
0x 2118
0x 211C
0x 2120
0x 2124
0x 2128
0x 212C
0x 2130
0x 2134
0x 2138
0x 213C
0x 2140
0x 2144
0x 2148
0x 214C
0x 2150
0x 2154
0x 2158
0x 215C
0x 2160
0x 2164
0x 2168
0x 216C
0x 2170
0x 2174
0x 2178
0x 217C
0x 2180
0x 2184
0x 2188
0x 218C
0x 2190
0x 2194
0x 2198
0x 219C
0x 21A0
0x 21A4
0x 21A8
0x 21AC
0x 21B0
0x 21B4
0x 21B8
0x 21BC
0x 21C0
0x 21C4
0x 21C8
0x 21CC
0x 21D0
0x 21D4
0x 21D8
0x 21DC
0x 21E0
0x 21E4
0x 21F0
0x 21F4
0x 21F8
0x 21FC
0x 2200
0x 2204
0x 2208
0x 220C
0x 2210
0x 2214
0x 2218
0x 221C
0x 2220
0x 2224
0x 2228
0x 222C
0x 2230
0x 2234
0x 2238
0x 223C
0x 2240
0x 2244
0x 2248
0x 224C
0x 2250
0x 2254
0x 2258
0x 225C
0x 2260
0x 2264
0x 2268
0x 226C
0x 2270
0x 2274
0x 2278
0x 227C
0x 2280
0x 2284
0x 2288
0x 228C
0x 2290
0x 2294
0x 2298
0x 229C
0x 22A0
0x 22A4
0x 22A8
0x 22AC
0x 22B0
0x 22B4
0x 22B8
0x 22BC
0x 22C0
0x 22C4
0x 22C8
0x 22CC
0x 22D0
0x 22D4
0x 22D8
0x 22DC
0x 22E0
0x 22E4
0x 22E8
0x 22EC
0x 22F0
0x 22F4
0x 2300
0x 2304
0x 2308
0x 230C
0x 2310
0x 2314
0x 2318
0x 231C
0x 2320
0x 2324
0x 2328
0x 232C
0x 2338
0x 233C
0x 2340
0x 2344
0x 2348
0x 234C
0x 2350
0x 2354
0x 2358
0x 235C
0x 2360
0x 2364
0x 2368
0x 2370
0x 2374
0x 2378
0x 237C
0x 2380
0x 2384
0x 2388
0x 238C
0x 2390
0x 2394
0x 2398
0x 239C
0x 23A0
0x 23A8
0x 23AC
0x 23B0
0x 23B4
0x 23B8
0x 23BC
0x 23C0
0x 23C4
0x 23C8
0x 23CC
0x 23D0
0x 23D4
0x 23D8
0x 23DC
0x 23E0
0x 23E4
0x 23E8
0x 23EC
0x 23F0
0x 23F4
0x 23F8
0x 23FC
0x E30
0x 874
0x 41C
0x 9F4
0x 2414
0x 2494
0x 2498
0x 249C
0x 24A0
0x 24A4
0x 24A8
0x 24AC
0x 24B0
0x 24B4
0x 24B8
0x 24BC
0x 24C0
0x 24C4
0x 24C8
0x 24CC
0x 24D0
0x 24D4
0x 24D8
0x 24DC
0x 24E0
0x 24E4
0x 24E8
0x 24EC
0x 24F0
0x 24F4
0x 24F8
0x 24FC
0x 2500
0x 2504
0x 2508
0x 250C
0x 2510
0x 2514
0x 2518
0x 251C
0x 2520
0x 2524
0x 2528
0x 252C
0x 2530
0x 2534
0x 2538
0x 253C
0x 2540
0x 2544
0x 2548
0x 254C
0x 2550
0x 2554
0x 2558
0x 255C
0x 2560
0x 2564
0x 2568
0x 256C
0x 2570
0x 2574
0x 2578
0x 257C
0x 2580
0x 2584
0x 2588
0x 258C
0x 2590
0x 2594
0x 2598
0x 259C
0x 25A0
0x 25A4
0x 25A8
0x 25AC
0x 25B0
0x 25B4
0x 25B8
0x 25BC
0x 25C0
0x 25C4
0x 25C8
0x 25CC
0x 25D0
0x 25D4
0x 25D8
0x 25DC
0x 25E0
0x 25E4
0x 25E8
0x 25EC
0x 25F0
0x 25F4
0x 25F8
0x 25FC
0x 2600
0x 2604
0x 2608
0x 260C
0x 2610
0x 2614
0x 2618
0x 261C
0x 2620
0x 2624
0x 2628
0x 262C
0x 2630
0x 2634
0x 2638
0x 263C
0x 2640
0x 2644
0x 2648
0x 264C
0x 2650
0x 2654
0x 2658
0x 265C
0x 2660
0x 2664
0x 2668
0x 266C
0x 2670
0x 2674
0x 2678
0x 267C
0x 2680
0x 2684
0x 2688
0x 268C
0x 2690
0x 2694
0x 2698
0x 269C
0x 26A0
0x 26A4
0x 26A8
0x 26AC
0x 26B0
0x 26B4
0x 26B8
0x 26BC
0x 26C0
0x 26C4
0x 26C8
0x 26CC
0x 26D0
0x 26D4
0x 26D8
0x 26DC
0x 26E0
0x 26E4
0x 26E8
0x 26EC
0x 26F0
0x 26F4
0x 26F8
0x 26FC
0x 2700
0x 2704
0x 2708
0x 270C
0x 2710
0x 2714
0x 2718
0x 271C
0x 2720
0x 2724
0x 2728
0x 272C
0x 2730
0x 2734
0x 2738
0x 273C
0x 2740
0x 2744
0x 2748
0x 274C
0x 2750
0x 2754
0x 2758
0x 275C
0x 2760
0x 2764
0x 2768
0x 276C
0x 2770
0x 2774
0x 2778
0x 277C
0x 2780
0x 2784
0x 2788
0x 278C
0x 2790
0x 2794
0x 2798
0x 279C
0x 27A0
0x 27A4
0x 27A8
0x 27AC
0x 27B0
0x 27B4
0x 27B8
0x 27BC
0x 27C0
0x 27C4
0x 27C8
0x 27CC
0x 27D0
0x 27D4
0x 27D8
0x 27DC
0x 27E0
0x 27E4
0x 27E8
0x 27EC
0x 27F0
0x 27F4
0x 27F8
0x 27FC
0x 2408
0x 240C
0x 22FC
0x 23A4
0x 2334
0x 2298
0x 236C
0x 2404
0x 22F8
0x 2330
0x 604
0x 2414
0x 2424
0x 243C
0x 2440
0x 241C
0x 242C
0x 2434
0x 2430
0x 2428
0x 2438
0x 2418
0x 2420
0x 2804
0x 2808
0x 280C
0x 2810
0x 2814
0x 2818
0x 281C
0x 2820
0x 2824
0x 2828
0x 282C
0x 2830
0x 2834
0x 2838
0x 283C
0x 2840
0x 2844
0x 2848
0x 284C
0x 2850
0x 2854
0x 2858
0x 285C
0x 2860
0x 2864
0x 2868
0x 286C
0x 2870
0x 2874
0x 2878
0x 287C
0x 2880
0x 2884
0x 2888
0x 2894
0x 2898
0x 289C
0x 28A0
0x 28A4
0x 28A8
0x 28AC
0x 28B0
0x 28B4
0x 28B8
0x 28BC
0x 28C0
0x 28C4
0x 28C8
0x 28CC
0x 28D0
0x 28D4
0x 28D8
0x 28E8
0x 28EC
0x 28F0
0x 28F4
0x 28F8
0x 28FC
0x 2904
0x 2908
0x 290C
0x 2910
0x 2914
0x 2918
0x 291C
0x 2920
0x 2924
0x 2928
0x 292C
0x 2930
0x 2934
0x 2938
0x 293C
0x 2940
0x 2944
0x 2948
0x 294C
0x 2950
0x 2954
0x 2958
0x 295C
0x 2960
0x 2964
0x 2968
0x 296C
0x 2970
0x 2974
0x 2978
0x 297C
0x 2980
0x 2984
0x 2988
0x 298C
0x 2994
0x 2998
0x 299C
0x 29A0
0x 29A4
0x 29A8
0x 29AC
0x 29B0
0x 29B4
0x 29B8
0x 29BC
0x 29C0
0x 29C4
0x 29C8
0x 29CC
0x 29D0
0x 29D4
0x 29D8
0x 29DC
0x 29E0
0x 29E4
0x 29E8
0x 29EC
0x 29F0
0x 29F4
0x 29F8
0x 29FC
0x 2A00
0x 2A04
0x 2A08
0x 2A0C
0x 2A10
0x 2A18
0x 2A1C
0x 2A20
0x 2A24
0x 2A28
0x 2A2C
0x 2A30
0x 2A34
0x 2A38
0x 2A3C
0x 2A40
0x 2A44
0x 2A48
0x 2A4C
0x 2A50
0x 2A54
0x 2A58
0x 2A5C
0x 2A60
0x 2A64
0x 2A68
0x 2A6C
0x 2A70
0x 2A7C
0x 2A80
0x 2A84
0x 2A88
0x 2A8C
0x 2A90
0x 2A94
0x 2A98
0x 2A9C
0x 2AA0
0x 2AA4
0x 2AA8
0x 2AAC
0x 2AB0
0x 2AB4
0x 2AB8
0x 2ABC
0x 2AC0
0x 2AC4
0x 2AC8
0x 2ACC
0x 2AD0
0x 2AD4
0x 2AD8
0x 2ADC
0x 2AF4
0x 2AF8
0x 2AFC
0x 2B00
0x 2B04
0x 2B08
0x 2B0C
0x 2B10
0x 2B14
0x 2B18
0x 2B1C
0x 2B20
0x 2B24
0x 2B28
0x 2B60
0x 2B64
0x 2B68
0x 2B6C
0x 2B70
0x 2B74
0x 2B78
0x 2B7C
0x 2B80
0x 2B84
0x 2B88
0x 2B8C
0x 2B90
0x 2B94
0x 2B98
0x 2B9C
0x 2BA0
0x 2BA4
0x 2BA8
0x 2BAC
0x 2BB0
0x 2BB4
0x 2BB8
0x 2BBC
0x 2BC0
0x 2BC4
0x 2BC8
0x 2BCC
0x 2BD0
0x 2BD4
0x 2BD8
0x 2BDC
0x 2BE0
0x 2BE4
0x 2BE8
0x 2BEC
0x 2BF0
0x 2BF4
0x 2BF8
0x 2BFC
0x 2428
0x 28E0
0x 2A7C
0x 7AC
0x 2AEC
0x 2A78
0x 2B30
0x 2890
0x 2900
0x 2A74
0x 2A14
0x 2990
0x 288C
0x 28E4
0x 2B4C
0x 28DC
0x 2B50
0x 2AE4
0x 2B34
0x 2B48
0x 2B44
0x 2B3C
0x 2AE0
0x 2B2C
0x 2AE8
0x 2B40
0x 2B54
0x 2B58
0x 2AF0
0x 2B5C
0x 2C04
0x 2C08
0x 2C0C
0x 2C10
0x 2C14
0x 2C18
0x 2C1C
0x 2C20
0x 2C24
0x 2C28
0x 2C2C
0x 2C30
0x 2C34
0x 2C38
0x 2C3C
0x 2C40
0x 2C44
0x 2C48
0x 2C4C
0x 2C50
0x 2C54
0x 2C58
0x 2C5C
0x 2C60
0x 2C64
0x 2C68
0x 2C6C
0x 2C70
0x 2C74
0x 2C78
0x 2C7C
0x 2C80
0x 2C84
0x 2C88
0x 2C8C
0x 2C90
0x 2C94
0x 2C98
0x 2C9C
0x 2CA0
0x 2CA4
0x 2CA8
0x 2CAC
0x 2CB0
0x 2CB4
0x 2CB8
0x 2CBC
0x 2CC0
0x 2CC4
0x 2CC8
0x 2CCC
0x 2CD0
0x 2CD4
0x 2CD8
0x 2CDC
0x 2CE0
0x 2CE4
0x 2CE8
0x 2CEC
0x 2CF0
0x 2CF4
0x 2CF8
0x 2CFC
0x 2D00
0x 2D04
0x 2D08
0x 2D0C
0x 2D10
0x 2D14
0x 2D18
0x 2D1C
0x 2D20
0x 2D24
0x 2D28
0x 2D2C
0x 2D30
0x 2D34
0x 2D38
0x 2D3C
0x 2D40
0x 2D44
0x 2D48
0x 2D4C
0x 2D50
0x 2D54
0x 2D58
0x 2D5C
0x 2D60
0x 2D64
0x 2D68
0x 2D6C
0x 2D70
0x 2D74
0x 2D78
0x 2D7C
0x 2D80
0x 2D84
0x 2D88
0x 2D8C
0x 2D90
0x 2D94
0x 2D98
0x 2D9C
0x 2DA0
0x 2DA4
0x 2DA8
0x 2DAC
0x 2DB0
0x 2DB4
0x 2DB8
0x 2DBC
0x 2DC0
0x 2DC4
0x 2DC8
0x 2DCC
0x 2DD0
0x 2DD4
0x 2DD8
0x 2DDC
0x 2DE0
0x 2DE4
0x 2DE8
0x 2DEC
0x 2DF0
0x 2DF4
0x 2DF8
0x 2DFC
0x 2E00
0x 2E04
0x 2E08
0x 2E0C
0x 2E10
0x 2E14
0x 2E18
0x 2E1C
0x 2E20
0x 2E24
0x 2E28
0x 2E2C
0x 2E30
0x 2E34
0x 2E38
0x 2E3C
0x 2E40
0x 2E44
0x 2E48
0x 2E4C
0x 2E50
0x 2E54
0x 2E58
0x 2E5C
0x 2E60
0x 2E64
0x 2E68
0x 2E6C
0x 2E70
0x 2E74
0x 2E78
0x 2E7C
0x 2E80
0x 2E84
0x 2E88
0x 2E8C
0x 2E90
0x 2E94
0x 2E98
0x 2E9C
0x 2EA0
0x 2EA4
0x 2EA8
0x 2EAC
0x 2EB0
0x 2EB4
0x 2EB8
0x 2EBC
0x 2EC0
0x 2EC4
0x 2EC8
0x 2ECC
0x 2ED0
0x 2ED4
0x 2ED8
0x 2EDC
0x 2EE0
0x 2EE4
0x 2EE8
0x 2EEC
0x 2EF0
0x 2EF4
0x 2EF8
0x 2EFC
0x 2F00
0x 2F04
0x 2F08
0x 2F0C
0x 2F10
0x 2F14
0x 2F18
0x 2F1C
0x 2F20
0x 2F24
0x 2F28
0x 2F2C
0x 2F30
0x 2F34
0x 2F38
0x 2F3C
0x 2F40
0x 2F44
0x 2F48
0x 2F4C
0x 2F50
0x 2F54
0x 2F58
0x 2F5C
0x 2F60
0x 2F64
0x 2F68
0x 2F6C
0x 2F70
0x 2F74
0x 2F78
0x 2F7C
0x 2F80
0x 2F84
0x 2F88
0x 2F8C
0x 2F90
0x 2F94
0x 2F98
0x 2F9C
0x 2FA0
0x 2FA4
0x 2FA8
0x 2FAC
0x 2FB0
0x 2FB4
0x 2FB8
0x 2FBC
0x 2FC0
0x 2FC4
0x 2FC8
0x 2FCC
0x 2FD0
0x 2FD4
0x 2FD8
0x 2FDC
0x 2FE0
0x 2FE4
0x 2FE8
0x 2FEC
0x 2FF0
0x 2FF4
0x 2FF8
0x 2FFC
0x 1140
0x 2490
0x 3004
0x 3008
0x 300C
0x 3010
0x 3014
0x 3018
0x 301C
0x 3020
0x 3024
0x 3028
0x 302C
0x 3030
0x 3034
0x 3038
0x 303C
0x 3040
0x 3044
0x 3048
0x 304C
0x 3050
0x 3054
0x 3058
0x 305C
0x 3060
0x 3064
0x 3068
0x 306C
0x 3070
0x 3074
0x 3078
0x 307C
0x 3080
0x 3084
0x 3088
0x 308C
0x 3090
0x 3094
0x 3098
0x 309C
0x 30A0
0x 30A4
0x 30A8
0x 30AC
0x 30B0
0x 30B4
0x 30B8
0x 30BC
0x 30C0
0x 30C4
0x 30C8
0x 30CC
0x 30D0
0x 30D4
0x 30D8
0x 30DC
0x 30E0
0x 30E4
0x 30E8
0x 30EC
0x 30F0
0x 30F4
0x 30F8
0x 30FC
0x 3100
0x 3104
0x 3108
0x 310C
0x 3110
0x 3114
0x 3118
0x 311C
0x 3120
0x 3124
0x 3128
0x 312C
0x 3130
0x 3134
0x 3138
0x 313C
0x 3140
0x 3144
0x 3148
0x 314C
0x 3150
0x 3154
0x 3158
0x 315C
0x 3160
0x 3164
0x 3168
0x 316C
0x 3170
0x 3174
0x 3178
0x 317C
0x 3180
0x 3184
0x 3188
0x 318C
0x 3190
0x 3194
0x 31A8
0x 31AC
0x 31B0
0x 31B4
0x 31B8
0x 31BC
0x 31C4
0x 31C8
0x 31CC
0x 31D0
0x 31D4
0x 31D8
0x 31DC
0x 31E4
0x 31E8
0x 31EC
0x 31F0
0x 31F4
0x 31F8
0x 31FC
0x 3200
0x 3204
0x 3208
0x 320C
0x 3210
0x 3214
0x 3218
0x 321C
0x 3220
0x 3224
0x 3228
0x 322C
0x 3230
0x 3234
0x 3238
0x 323C
0x 3240
0x 3244
0x 3248
0x 324C
0x 3250
0x 3254
0x 3258
0x 325C
0x 3260
0x 3264
0x 3268
0x 326C
0x 3270
0x 3274
0x 3278
0x 327C
0x 3280
0x 3284
0x 3288
0x 328C
0x 3290
0x 3294
0x 3298
0x 329C
0x 32A0
0x 32A4
0x 32A8
0x 32AC
0x 32B0
0x 32B4
0x 32B8
0x 32C0
0x 32C4
0x 32C8
0x 32D0
0x 32D4
0x 32D8
0x 32DC
0x 32E0
0x 32E4
0x 32E8
0x 32EC
0x 32F0
0x 32F4
0x 32F8
0x 32FC
0x 3300
0x 3304
0x 3308
0x 330C
0x 3310
0x 3314
0x 3318
0x 331C
0x 3328
0x 332C
0x 3330
0x 3334
0x 3338
0x 333C
0x 3340
0x 3344
0x 3348
0x 334C
0x 3350
0x 3354
0x 3358
0x 335C
0x 3360
0x 3364
0x 3368
0x 336C
0x 3370
0x 3374
0x 3378
0x 337C
0x 3380
0x 3384
0x 3388
0x 3394
0x 3398
0x 339C
0x 33A0
0x 33A4
0x 33A8
0x 33AC
0x 33B0
0x 33B4
0x 33B8
0x 33BC
0x 33C0
0x 33C4
0x 33C8
0x 33CC
0x 33D0
0x 33D4
0x 33D8
0x 33EC
0x 33F0
0x 33F4
0x 33F8
0x 33FC
0x 3194
0x 414
0x D7C
0x 31A4
0x 5F8
0x 3338
0x 3404
0x 3408
0x 340C
0x 3410
0x 3414
0x 3418
0x 341C
0x 3420
0x 3424
0x 3428
0x 342C
0x 3430
0x 3434
0x 3438
0x 343C
0x 3440
0x 3444
0x 3448
0x 344C
0x 3450
0x 3454
0x 3458
0x 345C
0x 3464
0x 3468
0x 346C
0x 3470
0x 3474
0x 3478
0x 347C
0x 3480
0x 3484
0x 3488
0x 348C
0x 3490
0x 3494
0x 3498
0x 349C
0x 34A0
0x 34A4
0x 34A8
0x 34AC
0x 34B0
0x 34B4
0x 34B8
0x 34BC
0x 34C0
0x 34C4
0x 34C8
0x 34CC
0x 34D0
0x 34D4
0x 34D8
0x 34DC
0x 34E0
0x 34E4
0x 34E8
0x 34EC
0x 34F0
0x 34F4
0x 34F8
0x 34FC
0x 3500
0x 3504
0x 3508
0x 350C
0x 3510
0x 3514
0x 3518
0x 351C
0x 3520
0x 3524
0x 3528
0x 352C
0x 3530
0x 3534
0x 3538
0x 353C
0x 3540
0x 3544
0x 3548
0x 354C
0x 3550
0x 3554
0x 3558
0x 355C
0x 3560
0x 3564
0x 3568
0x 356C
0x 3570
0x 3574
0x 3578
0x 357C
0x 3580
0x 3584
0x 3588
0x 358C
0x 3590
0x 3594
0x 3598
0x 359C
0x 35A4
0x 35A8
0x 35AC
0x 35B0
0x 35B4
0x 35B8
0x 35BC
0x 35C0
0x 35C4
0x 35C8
0x 35CC
0x 35D0
0x 35D4
0x 35D8
0x 35DC
0x 35E0
0x 35E4
0x 35E8
0x 35EC
0x 35F0
0x 35F4
0x 35F8
0x 35FC
0x 3600
0x 3604
0x 3608
0x 360C
0x 3610
0x 3614
0x 3618
0x 361C
0x 3620
0x 3624
0x 3628
0x 362C
0x 3630
0x 3634
0x 3638
0x 363C
0x 3640
0x 3644
0x 3648
0x 364C
0x 3650
0x 3654
0x 3658
0x 365C
0x 3660
0x 3664
0x 3668
0x 366C
0x 3670
0x 3674
0x 3678
0x 367C
0x 3680
0x 3684
0x 3688
0x 368C
0x 3690
0x 3694
0x 3698
0x 369C
0x 36A0
0x 36A4
0x 36A8
0x 36AC
0x 36B0
0x 36B4
0x 36B8
0x 36BC
0x 36C0
0x 36C4
0x 36C8
0x 36CC
0x 36D0
0x 36D4
0x 36D8
0x 36DC
0x 36E4
0x 36E8
0x 36EC
0x 36F0
0x 36F4
0x 36F8
0x 36FC
0x 3700
0x 3704
0x 3708
0x 370C
0x 3710
0x 3714
0x 3718
0x 371C
0x 3720
0x 3724
0x 3728
0x 372C
0x 3730
0x 3734
0x 3738
0x 3744
0x 3748
0x 374C
0x 3750
0x 3754
0x 3758
0x 375C
0x 3760
0x 3764
0x 3768
0x 376C
0x 3770
0x 3774
0x 3778
0x 377C
0x 3780
0x 3784
0x 3788
0x 378C
0x 3790
0x 3794
0x 3798
0x 379C
0x 37A0
0x 37A4
0x 37A8
0x 37AC
0x 37B0
0x 37B4
0x 37B8
0x 37BC
0x 37C0
0x 37C4
0x 37C8
0x 37CC
0x 37D0
0x 37D4
0x 37D8
0x 37DC
0x 37E0
0x 37E4
0x 37E8
0x 37EC
0x 37F0
0x 37F4
0x 37F8
0x 37FC
0x 33E0
0x 3324
0x 33E4
0x 3320
0x 4B0
0x C7C
0x C74
0x 319C
0x 31E0
0x 32CC
0x 3198
0x 3804
0x 3808
0x 380C
0x 3810
0x 3814
0x 3818
0x 381C
0x 3820
0x 3824
0x 3828
0x 382C
0x 3830
0x 3834
0x 3838
0x 383C
0x 3840
0x 3844
0x 3848
0x 384C
0x 3850
0x 3854
0x 3858
0x 385C
0x 3864
0x 3868
0x 386C
0x 3870
0x 3874
0x 3878
0x 387C
0x 3880
0x 3884
0x 3888
0x 388C
0x 3890
0x 3894
0x 3898
0x 389C
0x 38A0
0x 38A4
0x 38A8
0x 38AC
0x 38B0
0x 38B4
0x 38B8
0x 38BC
0x 38C0
0x 38C4
0x 38C8
0x 38CC
0x 38D0
0x 38D4
0x 38D8
0x 38DC
0x 38E0
0x 38E4
0x 38E8
0x 38EC
0x 38F0
0x 38F4
0x 38F8
0x 38FC
0x 3900
0x 3904
0x 3908
0x 390C
0x 3910
0x 3914
0x 3918
0x 391C
0x 3920
0x 3924
0x 3928
0x 392C
0x 3930
0x 3934
0x 3938
0x 393C
0x 3940
0x 3944
0x 3948
0x 394C
0x 3950
0x 3954
0x 3958
0x 395C
0x 3960
0x 3964
0x 3968
0x 396C
0x 3970
0x 3974
0x 3978
0x 397C
0x 3980
0x 3984
0x 3988
0x 398C
0x 3990
0x 3994
0x 3998
0x 399C
0x 39A0
0x 39A4
0x 39A8
0x 39AC
0x 39B0
0x 39B4
0x 39B8
0x 39BC
0x 39C0
0x 39C4
0x 39C8
0x 39CC
0x 39D0
0x 39D4
0x 39D8
0x 39DC
0x 39E0
0x 39E4
0x 39E8
0x 39EC
0x 39F0
0x 39F4
0x 39F8
0x 39FC
0x 3A00
0x 3A04
0x 3A08
0x 3A0C
0x 3A10
0x 3A14
0x 3A18
0x 3A1C
0x 3A20
0x 3A24
0x 3A28
0x 3A2C
0x 3A30
0x 3A34
0x 3A38
0x 3A3C
0x 3A40
0x 3A44
0x 3A48
0x 3A4C
0x 3A50
0x 3A54
0x 3A58
0x 3A5C
0x 3A60
0x 3A64
0x 3A68
0x 3A6C
0x 3A70
0x 3A74
0x 3A78
0x 3A7C
0x 3A80
0x 3A84
0x 3A88
0x 3A8C
0x 3A90
0x 3A94
0x 3A98
0x 3A9C
0x 3AA0
0x 3AA4
0x 3AA8
0x 3AAC
0x 3AB0
0x 3AB4
0x 3AB8
0x 3ABC
0x 3AC0
0x 3AC4
0x 3AC8
0x 3ACC
0x 3AD0
0x 3AD4
0x 3AD8
0x 3ADC
0x 3AE0
0x 3AE4
0x 3AE8
0x 3AEC
0x 3AF0
0x 3AF4
0x 3AF8
0x 3AFC
0x 3B00
0x 3B04
0x 3B08
0x 3B0C
0x 3B10
0x 3B14
0x 3B18
0x 3B1C
0x 3B20
0x 3B24
0x 3B28
0x 3B2C
0x 3B30
0x 3B34
0x 3B38
0x 3B3C
0x 3B40
0x 3B44
0x 3B48
0x 3B4C
0x 3B50
0x 3B54
0x 3B58
0x 3B5C
0x 3B60
0x 3B64
0x 3B68
0x 3B6C
0x 3B70
0x 3B74
0x 3B78
0x 3B7C
0x 3B80
0x 3B84
0x 3B88
0x 3B8C
0x 3B90
0x 3B94
0x 3B98
0x 3B9C
0x 3BA0
0x 3BA4
0x 3BA8
0x 3BAC
0x 3BB0
0x 3BB4
0x 3BB8
0x 3BBC
0x 3BC0
0x 3BC4
0x 3BC8
0x 3BCC
0x 3BD0
0x 3BD4
0x 3BD8
0x 3BDC
0x 3BE0
0x 3BE4
0x 3BE8
0x 3BEC
0x 3BF0
0x 3BF4
0x 3BF8
0x 3BFC
0x 32BC
0x 31C0
0x 31A0
0x 2464
0x 2460
0x 28C
0x 868
0x 238
0x 930
0x 120
0x 314
0x 614
0x 928
0x 918
0x A48
0x 43C
0x F4
0x 478
0x 428
0x 3740
0x DAC
0x 3390
0x 373C
0x 3460
0x 36E0
0x 338C
0x 35A0
0x 33E8
0x 33DC
0x 3C04
0x 3C08
0x 3C0C
0x 3C10
0x 3C14
0x 3C18
0x 3C1C
0x 3C20
0x 3C24
0x 3C28
0x 3C2C
0x 3C30
0x 3C34
0x 3C38
0x 3C3C
0x 3C40
0x 3C44
0x 3C48
0x 3C4C
0x 3C50
0x 3C54
0x 3C58
0x 3C5C
0x 3C60
0x 3C64
0x 3C68
0x 3C6C
0x 3C70
0x 3C74
0x 3C78
0x 3C7C
0x 3C80
0x 3C84
0x 3C88
0x 3C8C
0x 3C90
0x 3C94
0x 3C98
0x 3C9C
0x 3CA0
0x 3CA4
0x 3CA8
0x 3CAC
0x 3CB0
0x 3CB4
0x 3CB8
0x 3CBC
0x 3CC0
0x 3CC4
0x 3CC8
0x 3CCC
0x 3CD0
0x 3CD4
0x 3CD8
0x 3CDC
0x 3CE0
0x 3CE4
0x 3CE8
0x 3CEC
0x 3CF0
0x 3CF4
0x 3CF8
0x 3CFC
0x 3D00
0x 3D04
0x 3D08
0x 3D0C
0x 3D10
0x 3D14
0x 3D18
0x 3D1C
0x 3D20
0x 3D24
0x 3D28
0x 3D2C
0x 3D30
0x 3D34
0x 3D38
0x 3D3C
0x 3D40
0x 3D44
0x 3D48
0x 3D4C
0x 3D50
0x 3D54
0x 3D58
0x 3D5C
0x 3D60
0x 3D64
0x 3D68
0x 3D6C
0x 3D70
0x 3D74
0x 3D78
0x 3D7C
0x 3D80
0x 3D84
0x 3D88
0x 3D8C
0x 3D90
0x 3D94
0x 3D98
0x 3D9C
0x 3DA0
0x 3DA4
0x 3DA8
0x 3DAC
0x 3DB0
0x 3DB4
0x 3DB8
0x 3DBC
0x 3DC0
0x 3DC4
0x 3DC8
0x 3DCC
0x 3DD0
0x 3DD4
0x 3DD8
0x 3DDC
0x 3DE0
0x 3DE4
0x 3DE8
0x 3DEC
0x 3DF0
0x 3DF4
0x 3DF8
0x 3DFC
0x 3E00
0x 3E04
0x 3E08
0x 3E0C
0x 3E10
0x 3E14
0x 3E18
0x 3E1C
0x 3E20
0x 3E24
0x 3E28
0x 3E2C
0x 3E30
0x 3E34
0x 3E38
0x 3E3C
0x 3E40
0x 3E44
0x 3E48
0x 3E4C
0x 3E50
0x 3E54
0x 3E58
0x 3E5C
0x 3E60
0x 3E64
0x 3E68
0x 3E6C
0x 3E70
0x 3E74
0x 3E78
0x 3E7C
0x 3E80
0x 3E84
0x 3E88
0x 3E8C
0x 3E90
0x 3E94
0x 3E98
0x 3E9C
0x 3EA0
0x 3EB8
0x 3EBC
0x 3EC0
0x 3EC4
0x 3EC8
0x 3ECC
0x 3ED0
0x 3ED8
0x 3EDC
0x 3EE0
0x 3EE4
0x 3EE8
0x 3EEC
0x 3EF0
0x 3EF4
0x 3EF8
0x 3EFC
0x 3F00
0x 3F04
0x 3F08
0x 3F0C
0x 3F10
0x 3F14
0x 3F18
0x 3F1C
0x 3F20
0x 3F24
0x 3F28
0x 3F2C
0x 3F30
0x 3F34
0x 3F38
0x 3F3C
0x 3F40
0x 3F44
0x 3F48
0x 3F4C
0x 3F50
0x 3F54
0x 3F58
0x 3F5C
0x 3F60
0x 3F64
0x 3F68
0x 3F6C
0x 3F70
0x 3F74
0x 3F78
0x 3F7C
0x 3F80
0x 3F84
0x 3F88
0x 3F8C
0x 3F90
0x 3F94
0x 3F98
0x 3F9C
0x 3FA0
0x 3FA4
0x 3FA8
0x 3FAC
0x 3FB0
0x 3FB4
0x 3FB8
0x 3FBC
0x 3FC0
0x 3FC4
0x 3FC8
0x 3FD0
0x 3FD4
0x 3FD8
0x 3FDC
0x 3FE0
0x 3FE4
0x 3FE8
0x 3FEC
0x 3FF0
0x 3FF4
0x 3FF8
0x 3FFC
0x 55C
0x C2C
0x 3EA0
0x 3EB0
0x 4004
0x 400C
0x 4010
0x 4014
0x 4018
0x 401C
0x 4020
0x 4024
0x 4028
0x 4034
0x 4038
0x 403C
0x 4040
0x 4044
0x 4048
0x 404C
0x 4050
0x 4054
0x 4060
0x 4064
0x 4068
0x 406C
0x 4070
0x 4074
0x 4078
0x 407C
0x 4080
0x 4084
0x 4088
0x 408C
0x 4090
0x 4094
0x 4098
0x 40A8
0x 40AC
0x 40B0
0x 40B4
0x 40B8
0x 40BC
0x 40C0
0x 40C4
0x 40C8
0x 40CC
0x 40D0
0x 40D4
0x 40D8
0x 40DC
0x 40E0
0x 40E4
0x 40EC
0x 40F0
0x 40F4
0x 40F8
0x 40FC
0x 4100
0x 4104
0x 4108
0x 410C
0x 4110
0x 4114
0x 4118
0x 411C
0x 4120
0x 4124
0x 4128
0x 412C
0x 4130
0x 4134
0x 4138
0x 413C
0x 4140
0x 4144
0x 4148
0x 414C
0x 4150
0x 4154
0x 4158
0x 415C
0x 4160
0x 4164
0x 4168
0x 416C
0x 4170
0x 4174
0x 4178
0x 417C
0x 4180
0x 4184
0x 4188
0x 418C
0x 4190
0x 4194
0x 4198
0x 419C
0x 41A0
0x 41A4
0x 41A8
0x 41AC
0x 41B0
0x 41B4
0x 41B8
0x 41BC
0x 41C0
0x 41C4
0x 41D0
0x 41D4
0x 41D8
0x 41DC
0x 41E0
0x 41E4
0x 41E8
0x 41EC
0x 41F0
0x 41F4
0x 41F8
0x 41FC
0x 4200
0x 4204
0x 4208
0x 420C
0x 4210
0x 4214
0x 4218
0x 421C
0x 4220
0x 4224
0x 4228
0x 422C
0x 4230
0x 4234
0x 4238
0x 423C
0x 4240
0x 4244
0x 4248
0x 424C
0x 4250
0x 4254
0x 4258
0x 425C
0x 4260
0x 4264
0x 4268
0x 426C
0x 4270
0x 4274
0x 4278
0x 427C
0x 4280
0x 4284
0x 4288
0x 428C
0x 4290
0x 4294
0x 4298
0x 429C
0x 42A0
0x 42A4
0x 42A8
0x 42AC
0x 42B0
0x 42B4
0x 42B8
0x 42BC
0x 42C0
0x 42C4
0x 42C8
0x 42CC
0x 42D0
0x 42D4
0x 42D8
0x 42E0
0x 42E4
0x 42E8
0x 42EC
0x 42F0
0x 42F4
0x 42F8
0x 42FC
0x 4300
0x 4304
0x 4308
0x 430C
0x 4310
0x 4314
0x 4318
0x 431C
0x 4320
0x 4324
0x 4328
0x 432C
0x 4330
0x 4334
0x 4338
0x 433C
0x 4340
0x 4344
0x 4348
0x 434C
0x 4350
0x 4354
0x 4358
0x 435C
0x 4360
0x 4364
0x 4368
0x 436C
0x 4370
0x 4374
0x 4378
0x 437C
0x 4380
0x 4384
0x 4388
0x 438C
0x 4390
0x 4394
0x 4398
0x 439C
0x 43A0
0x 43A4
0x 43A8
0x 43AC
0x 43B0
0x 43B4
0x 43B8
0x 43BC
0x 43C0
0x 43C4
0x 43C8
0x 43CC
0x 43D0
0x 43D4
0x 43D8
0x 43DC
0x 43E0
0x 43E4
0x 43E8
0x 43EC
0x 43F0
0x 43F4
0x 43F8
0x 43FC
0x 3FE4
0x 405C
0x 4404
0x 4408
0x 440C
0x 4410
0x 4414
0x 4418
0x 441C
0x 4420
0x 4424
0x 4428
0x 442C
0x 4430
0x 443C
0x 4440
0x 4444
0x 4448
0x 444C
0x 4450
0x 4454
0x 4458
0x 445C
0x 4460
0x 4464
0x 4468
0x 446C
0x 4470
0x 4474
0x 4478
0x 447C
0x 4480
0x 4484
0x 4488
0x 448C
0x 4490
0x 4494
0x 4498
0x 449C
0x 44A0
0x 44A4
0x 44A8
0x 44AC
0x 44B0
0x 44B4
0x 44B8
0x 44BC
0x 44C0
0x 44C4
0x 44C8
0x 44CC
0x 44D0
0x 44D4
0x 44D8
0x 44DC
0x 44E0
0x 44E4
0x 44E8
0x 44EC
0x 44F0
0x 44F8
0x 44FC
0x 4500
0x 4504
0x 4508
0x 450C
0x 4510
0x 4514
0x 4518
0x 451C
0x 4520
0x 4524
0x 4528
0x 452C
0x 4530
0x 4534
0x 4538
0x 453C
0x 4540
0x 4544
0x 4548
0x 454C
0x 4550
0x 4554
0x 4558
0x 455C
0x 4560
0x 4564
0x 4568
0x 456C
0x 4570
0x 4574
0x 4578
0x 457C
0x 4580
0x 4584
0x 4588
0x 458C
0x 4590
0x 4594
0x 4598
0x 459C
0x 45A0
0x 45A4
0x 45A8
0x 45AC
0x 45B0
0x 45B4
0x 45B8
0x 45BC
0x 45C0
0x 45C4
0x 45C8
0x 45CC
0x 45D0
0x 45D4
0x 45D8
0x 45DC
0x 45E0
0x 45E4
0x 45E8
0x 45EC
0x 45F0
0x 45F4
0x 45F8
0x 45FC
0x 4600
0x 4604
0x 4608
0x 460C
0x 4610
0x 4614
0x 4618
0x 461C
0x 4620
0x 4624
0x 4628
0x 462C
0x 4630
0x 4634
0x 4638
0x 463C
0x 4640
0x 4644
0x 4648
0x 464C
0x 4650
0x 4654
0x 4658
0x 465C
0x 4660
0x 4664
0x 4668
0x 466C
0x 4670
0x 4674
0x 4678
0x 467C
0x 4680
0x 4684
0x 4688
0x 468C
0x 4690
0x 4694
0x 4698
0x 469C
0x 46A0
0x 46A4
0x 46A8
0x 46AC
0x 46B0
0x 46B4
0x 46B8
0x 46BC
0x 46C0
0x 46C4
0x 46C8
0x 46CC
0x 46D0
0x 46D4
0x 46D8
0x 46DC
0x 46E0
0x 46E4
0x 46E8
0x 46EC
0x 46F0
0x 46F4
0x 46F8
0x 46FC
0x 4700
0x 4704
0x 4708
0x 470C
0x 4710
0x 4714
0x 4718
0x 471C
0x 4720
0x 4724
0x 4728
0x 472C
0x 4730
0x 4734
0x 4738
0x 473C
0x 4740
0x 4744
0x 4748
0x 474C
0x 4750
0x 4754
0x 4758
0x 475C
0x 4760
0x 4764
0x 4768
0x 476C
0x 4770
0x 4774
0x 4778
0x 477C
0x 4780
0x 4784
0x 4788
0x 478C
0x 4790
0x 4794
0x 4798
0x 479C
0x 47A0
0x 47A4
0x 47A8
0x 47AC
0x 47B0
0x 47B4
0x 47B8
0x 47BC
0x 47C0
0x 47C4
0x 47C8
0x 47CC
0x 47D0
0x 47D4
0x 47D8
0x 47DC
0x 47E0
0x 47E4
0x 47E8
0x 47EC
0x 47F0
0x 47F4
0x 47F8
0x 47FC
0x 40A4
0x 41C8
0x 3EA8
0x 3ED4
0x 40A0
0x 4008
0x 3FCC
0x 3EA4
0x 3EB4
0x 4438
0x 3EAC
0x 44F4
0x 4030
0x 4804
0x 4808
0x 480C
0x 4810
0x 4814
0x 4818
0x 481C
0x 4820
0x 4824
0x 4828
0x 482C
0x 4830
0x 4834
0x 4838
0x 483C
0x 4840
0x 4844
0x 4848
0x 484C
0x 4850
0x 4854
0x 4858
0x 485C
0x 4860
0x 4864
0x 4868
0x 486C
0x 4870
0x 4874
0x 4878
0x 487C
0x 4880
0x 4884
0x 4888
0x 488C
0x 4890
0x 4894
0x 4898
0x 489C
0x 48A0
0x 48A4
0x 48A8
0x 48AC
0x 48B0
0x 48B4
0x 48B8
0x 48BC
0x 48C0
0x 48C4
0x 48C8
0x 48CC
0x 48D0
0x 48D4
0x 48D8
0x 48DC
0x 48E0
0x 48E4
0x 48E8
0x 48EC
0x 48F0
0x 48F4
0x 48F8
0x 48FC
0x 4900
0x 4904
0x 4908
0x 490C
0x 4910
0x 4914
0x 4918
0x 491C
0x 4920
0x 4924
0x 4928
0x 492C
0x 4930
0x 4934
0x 4938
0x 493C
0x 4940
0x 4944
0x 4948
0x 494C
0x 4950
0x 4954
0x 4958
0x 495C
0x 4960
0x 4964
0x 4968
0x 496C
0x 4970
0x 4974
0x 4978
0x 497C
0x 4980
0x 4984
0x 4988
0x 498C
0x 4990
0x 4994
0x 4998
0x 499C
0x 49A0
0x 49A4
0x 49A8
0x 49AC
0x 49B0
0x 49B4
0x 49B8
0x 49BC
0x 49C0
0x 49C4
0x 49C8
0x 49CC
0x 49D0
0x 49D4
0x 49D8
0x 49DC
0x 49E0
0x 49E4
0x 49E8
0x 49EC
0x 49F0
0x 49F4
0x 49F8
0x 49FC
0x 4A00
0x 4A04
0x 4A08
0x 4A0C
0x 4A10
0x 4A14
0x 4A18
0x 4A1C
0x 4A20
0x 4A24
0x 4A28
0x 4A2C
0x 4A30
0x 4A34
0x 4A38
0x 4A3C
0x 4A40
0x 4A44
0x 4A48
0x 4A4C
0x 4A50
0x 4A54
0x 4A58
0x 4A5C
0x 4A60
0x 4A64
0x 4A68
0x 4A6C
0x 4A70
0x 4A74
0x 4A78
0x 4A7C
0x 4A80
0x 4A84
0x 4A88
0x 4A8C
0x 4A90
0x 4A94
0x 4A98
0x 4A9C
0x 4AA0
0x 4AA4
0x 4AA8
0x 4AAC
0x 4AB0
0x 4AB4
0x 4AB8
0x 4ABC
0x 4AC0
0x 4AC4
0x 4AC8
0x 4ACC
0x 4AD0
0x 4AD4
0x 4AD8
0x 4ADC
0x 4AE0
0x 4AE4
0x 4AE8
0x 4AEC
0x 4AF0
0x 4AF4
0x 4AF8
0x 4AFC
0x 4B00
0x 4B04
0x 4B08
0x 4B0C
0x 4B10
0x 4B14
0x 4B18
0x 4B1C
0x 4B20
0x 4B24
0x 4B28
0x 4B2C
0x 4B30
0x 4B34
0x 4B38
0x 4B3C
0x 4B40
0x 4B44
0x 4B48
0x 4B4C
0x 4B50
0x 4B54
0x 4B58
0x 4B5C
0x 4B60
0x 4B64
0x 4B68
0x 4B6C
0x 4B70
0x 4B74
0x 4B78
0x 4B7C
0x 4B80
0x 4B84
0x 4B88
0x 4B8C
0x 4B90
0x 4B94
0x 4B98
0x 4B9C
0x 4BA0
0x 4BA4
0x 4BA8
0x 4BAC
0x 4BB0
0x 4BB4
0x 4BB8
0x 4BBC
0x 4BC0
0x 4BC4
0x 4BC8
0x 4BCC
0x 4BD0
0x 4BD4
0x 4BD8
0x 4BDC
0x 4BE0
0x 4BE4
0x 4BE8
0x 4BEC
0x 4BF0
0x 4BF4
0x 4BF8
0x 4BFC
0x 4434
0x 40E8
0x 42DC
0x 41CC
0x 409C
0x 4C04
0x 4C08
0x 4C0C
0x 4C10
0x 4C14
0x 4C18
0x 4C1C
0x 4C20
0x 4C24
0x 4C28
0x 4C2C
0x 4C30
0x 4C34
0x 4C38
0x 4C3C
0x 4C40
0x 4C44
0x 4C48
0x 4C4C
0x 4C50
0x 4C54
0x 4C58
0x 4C5C
0x 4C60
0x 4C64
0x 4C68
0x 4C6C
0x 4C70
0x 4C74
0x 4C78
0x 4C7C
0x 4C80
0x 4C84
0x 4C88
0x 4C8C
0x 4C90
0x 4C94
0x 4C98
0x 4C9C
0x 4CA0
0x 4CA4
0x 4CA8
0x 4CAC
0x 4CB0
0x 4CB4
0x 4CB8
0x 4CBC
0x 4CC0
0x 4CC4
0x 4CC8
0x 4CCC
0x 4CD0
0x 4CD4
0x 4CD8
0x 4CDC
0x 4CE0
0x 4CE4
0x 4CE8
0x 4CEC
0x 4CF0
0x 4CF4
0x 4CF8
0x 4CFC
0x 4D00
0x 4D04
0x 4D08
0x 4D0C
0x 4D10
0x 4D14
0x 4D18
0x 4D1C
0x 4D20
0x 4D24
0x 4D28
0x 4D2C
0x 4D30
0x 4D34
0x 4D38
0x 4D3C
0x 4D40
0x 4D44
0x 4D48
0x 4D4C
0x 4D50
0x 4D54
0x 4D58
0x 4D5C
0x 4D60
0x 4D64
0x 4D68
0x 4D6C
0x 4D70
0x 4D74
0x 4D78
0x 4D7C
0x 4D80
0x 4D84
0x 4D88
0x 4D8C
0x 4D90
0x 4D94
0x 4D98
0x 4D9C
0x 4DA0
0x 4DA4
0x 4DA8
0x 4DAC
0x 4DB0
0x 4DB4
0x 4DB8
0x 4DBC
0x 4DC0
0x 4DC4
0x 4DC8
0x 4DCC
0x 4DD0
0x 4DD4
0x 4DD8
0x 4DDC
0x 4DE0
0x 4DE4
0x 4DE8
0x 4DEC
0x 4DF0
0x 4DF4
0x 4DF8
0x 4DFC
0x 4E00
0x 4E04
0x 4E08
0x 4E0C
0x 4E10
0x 4E14
0x 4E18
0x 4E1C
0x 4E20
0x 4E24
0x 4E28
0x 4E2C
0x 4E30
0x 4E34
0x 4E38
0x 4E3C
0x 4E40
0x 4E44
0x 4E48
0x 4E4C
0x 4E50
0x 4E54
0x 4E58
0x 4E5C
0x 4E60
0x 4E64
0x 4E68
0x 4E6C
0x 4E70
0x 4E74
0x 4E78
0x 4E7C
0x 4E80
0x 4E84
0x 4E88
0x 4E8C
0x 4E90
0x 4E94
0x 4E98
0x 4E9C
0x 4EA0
0x 4EA4
0x 4EA8
0x 4EAC
0x 4EB0
0x 4EB4
0x 4EB8
0x 4EBC
0x 4EC0
0x 4EC4
0x 4EC8
0x 4ECC
0x 4ED0
0x 4ED4
0x 4ED8
0x 4EDC
0x 4EE0
0x 4EE4
0x 4EE8
0x 4EEC
0x 4EF0
0x 4EF4
0x 4EF8
0x 4EFC
0x 4F00
0x 4F04
0x 4F08
0x 4F0C
0x 4F10
0x 4F14
0x 4F18
0x 4F1C
0x 4F20
0x 4F24
0x 4F28
0x 4F2C
0x 4F30
0x 4F34
0x 4F38
0x 4F3C
0x 4F40
0x 4F44
0x 4F48
0x 4F4C
0x 4F50
0x 4F54
0x 4F58
0x 4F5C
0x 4F60
0x 4F64
0x 4F68
0x 4F6C
0x 4F70
0x 4F74
0x 4F78
0x 4F7C
0x 4F80
0x 4F84
0x 4F88
0x 4F8C
0x 4F90
0x 4F94
0x 4F98
0x 4F9C
0x 4FA0
0x 4FA4
0x 4FA8
0x 4FAC
0x 4FB0
0x 4FB4
0x 4FB8
0x 4FBC
0x 4FC0
0x 4FC4
0x 4FC8
0x 4FCC
0x 4FD0
0x 4FD4
0x 4FD8
0x 4FDC
0x 4FE0
0x 4FE4
0x 4FE8
0x 4FEC
0x 4FF0
0x 4FF4
0x 4FF8
0x 4FFC
0x 5004
0x 5008
0x 500C
0x 5010
0x 5014
0x 5018
0x 501C
0x 5020
0x 5024
0x 5028
0x 502C
0x 5030
0x 5034
0x 5038
0x 503C
0x 5040
0x 5044
0x 5048
0x 504C
0x 5050
0x 5054
0x 5058
0x 505C
0x 5060
0x 5064
0x 5068
0x 506C
0x 5070
0x 5074
0x 5078
0x 507C
0x 5080
0x 5084
0x 5088
0x 508C
0x 5090
0x 5094
0x 5098
0x 509C
0x 50A0
0x 50A4
0x 50A8
0x 50AC
0x 50B0
0x 50B4
0x 50C0
0x 50C4
0x 50C8
0x 50CC
0x 50D0
0x 50D4
0x 50D8
0x 50DC
0x 50E0
0x 50E4
0x 50E8
0x 50EC
0x 50F0
0x 50F4
0x 5100
0x 5104
0x 5108
0x 510C
0x 5110
0x 5114
0x 5118
0x 511C
0x 5120
0x 5124
0x 512C
0x 5130
0x 5134
0x 5138
0x 513C
0x 5140
0x 5144
0x 5148
0x 514C
0x 5150
0x 5154
0x 5158
0x 515C
0x 5160
0x 5164
0x 516C
0x 5170
0x 5174
0x 5178
0x 517C
0x 5180
0x 5184
0x 5188
0x 518C
0x 5190
0x 5194
0x 5198
0x 519C
0x 51A0
0x 51A4
0x 51A8
0x 51AC
0x 51B0
0x 51B4
0x 51B8
0x 51BC
0x 51C0
0x 51C4
0x 51C8
0x 51CC
0x 51D0
0x 51D4
0x 51D8
0x 51DC
0x 51E0
0x 51E4
0x 51E8
0x 51EC
0x 51F0
0x 51F4
0x 51F8
0x 51FC
0x 5200
0x 5208
0x 520C
0x 5210
0x 5214
0x 5218
0x 521C
0x 5220
0x 5224
0x 5228
0x 522C
0x 5230
0x 5234
0x 5238
0x 523C
0x 5240
0x 5244
0x 5248
0x 524C
0x 5250
0x 5254
0x 5258
0x 5264
0x 5268
0x 526C
0x 5270
0x 5280
0x 5284
0x 5288
0x 528C
0x 5290
0x 5294
0x 5298
0x 52A0
0x 52A4
0x 52A8
0x 52AC
0x 52B0
0x 52B4
0x 52B8
0x 52BC
0x 52C0
0x 52C4
0x 52CC
0x 52D0
0x 52D4
0x 52D8
0x 52DC
0x 52E0
0x 52E4
0x 52E8
0x 52EC
0x 52F0
0x 52F4
0x 52F8
0x 52FC
0x 5300
0x 5304
0x 5308
0x 530C
0x 5310
0x 5314
0x 5318
0x 5324
0x 5328
0x 532C
0x 5330
0x 5334
0x 5338
0x 533C
0x 5340
0x 5348
0x 534C
0x 5350
0x 535C
0x 5360
0x 5364
0x 5368
0x 536C
0x 5370
0x 5374
0x 5378
0x 537C
0x 5380
0x 5384
0x 5388
0x 538C
0x 5390
0x 5394
0x 5398
0x 539C
0x 53A0
0x 53A4
0x 53A8
0x 53AC
0x 53B0
0x 53B4
0x 53B8
0x 53BC
0x 53C0
0x 53C4
0x 53C8
0x 53D8
0x 53DC
0x 53E0
0x 53E4
0x 53E8
0x 53EC
0x 53F0
0x 53F4
0x 53F8
0x 53FC
0x 500C
0x 50FC
0x 51D8
0x 5278
0x 5320
0x 5358
0x 531C
0x 50BC
0x 5168
0x 527C
0x 50B8
0x 5204
0x 5128
0x 53D0
0x 53D4
0x 53CC
0x 5260
0x 52C8
0x 5354
0x 525C
0x 5344
0x 529C
0x 402C
0x 4058
0x 50F8
0x 5274
0x 5404
0x 5408
0x 540C
0x 5410
0x 5414
0x 5418
0x 541C
0x 5420
0x 5424
0x 5428
0x 542C
0x 5430
0x 5434
0x 5438
0x 543C
0x 5440
0x 5444
0x 5448
0x 544C
0x 5450
0x 5454
0x 5458
0x 545C
0x 5460
0x 5464
0x 5468
0x 546C
0x 5470
0x 5474
0x 5478
0x 547C
0x 5480
0x 5484
0x 5488
0x 548C
0x 5490
0x 5494
0x 5498
0x 549C
0x 54A0
0x 54A4
0x 54A8
0x 54AC
0x 54B0
0x 54B4
0x 54B8
0x 54BC
0x 54C0
0x 54C4
0x 54C8
0x 54CC
0x 54D0
0x 54D4
0x 54D8
0x 54DC
0x 54E0
0x 54E4
0x 54E8
0x 54EC
0x 54F0
0x 54F4
0x 54F8
0x 54FC
0x 5500
0x 5504
0x 5508
0x 550C
0x 5510
0x 5514
0x 5518
0x 551C
0x 5520
0x 5524
0x 5528
0x 552C
0x 5530
0x 5534
0x 5538
0x 553C
0x 5540
0x 5544
0x 5548
0x 554C
0x 5550
0x 5554
0x 5558
0x 555C
0x 5560
0x 5564
0x 5568
0x 556C
0x 5570
0x 5574
0x 5578
0x 557C
0x 5580
0x 5584
0x 5588
0x 558C
0x 5590
0x 5594
0x 5598
0x 559C
0x 55A0
0x 55A4
0x 55A8
0x 55AC
0x 55B0
0x 55B4
0x 55B8
0x 55BC
0x 55C0
0x 55C4
0x 55C8
0x 55CC
0x 55D0
0x 55D4
0x 55D8
0x 55DC
0x 55E0
0x 55E4
0x 55E8
0x 55EC
0x 55F0
0x 55F4
0x 55F8
0x 55FC
0x 5600
0x 5604
0x 5608
0x 560C
0x 5610
0x 5614
0x 5618
0x 561C
0x 5620
0x 5624
0x 5628
0x 562C
0x 5630
0x 5634
0x 5638
0x 563C
0x 5640
0x 5644
0x 5648
0x 564C
0x 5650
0x 5654
0x 5658
0x 565C
0x 5660
0x 5664
0x 5668
0x 566C
0x 5670
0x 5674
0x 5678
0x 567C
0x 5680
0x 5684
0x 5688
0x 568C
0x 5690
0x 5694
0x 5698
0x 569C
0x 56A0
0x 56A4
0x 56A8
0x 56AC
0x 56B0
0x 56B4
0x 56B8
0x 56BC
0x 56C0
0x 56C4
0x 56C8
0x 56CC
0x 56D0
0x 56D4
0x 56D8
0x 56DC
0x 56E0
0x 56E4
0x 56E8
0x 56EC
0x 56F0
0x 56F4
0x 56F8
0x 56FC
0x 5700
0x 5704
0x 5708
0x 570C
0x 5710
0x 5714
0x 5718
0x 571C
0x 5720
0x 5724
0x 5728
0x 572C
0x 5730
0x 5734
0x 5738
0x 573C
0x 5740
0x 5744
0x 5748
0x 574C
0x 5750
0x 5754
0x 5758
0x 575C
0x 5760
0x 5764
0x 5768
0x 5774
0x 5778
0x 577C
0x 5780
0x 5784
0x 5788
0x 578C
0x 5790
0x 5794
0x 5798
0x 579C
0x 57A0
0x 57A4
0x 57A8
0x 57B8
0x 57BC
0x 57C0
0x 57C4
0x 57C8
0x 57CC
0x 57D0
0x 57D4
0x 57D8
0x 57DC
0x 57E0
0x 57E4
0x 57E8
0x 57EC
0x 57F0
0x 57F4
0x 57F8
0x 57FC
0x 5768
0x 5804
0x 5808
0x 580C
0x 5810
0x 5814
0x 581C
0x 5820
0x 5824
0x 5828
0x 582C
0x 5830
0x 5834
0x 5838
0x 583C
0x 5840
0x 5844
0x 5848
0x 584C
0x 5850
0x 5854
0x 5858
0x 585C
0x 5860
0x 5864
0x 5868
0x 586C
0x 5870
0x 5874
0x 5878
0x 587C
0x 5880
0x 5884
0x 5888
0x 588C
0x 5890
0x 5894
0x 5898
0x 589C
0x 58A0
0x 58A4
0x 58A8
0x 58AC
0x 58B0
0x 58B4
0x 58B8
0x 58BC
0x 58C0
0x 58C4
0x 58CC
0x 58D4
0x 58D8
0x 58E4
0x 591C
0x 5920
0x 5924
0x 5928
0x 592C
0x 5930
0x 5934
0x 5938
0x 593C
0x 5940
0x 5944
0x 5948
0x 594C
0x 5950
0x 5954
0x 5958
0x 595C
0x 5960
0x 5964
0x 5968
0x 596C
0x 5970
0x 5974
0x 5978
0x 597C
0x 5980
0x 5984
0x 5988
0x 598C
0x 5990
0x 5994
0x 5998
0x 599C
0x 59A0
0x 59A4
0x 59A8
0x 59AC
0x 59B0
0x 59B4
0x 59B8
0x 59BC
0x 59C0
0x 59C4
0x 59C8
0x 59CC
0x 59D0
0x 59D4
0x 59D8
0x 59DC
0x 59E0
0x 59E4
0x 59E8
0x 59EC
0x 59F0
0x 59F4
0x 59F8
0x 59FC
0x 5A00
0x 5A04
0x 5A08
0x 5A0C
0x 5A10
0x 5A14
0x 5A18
0x 5A1C
0x 5A20
0x 5A24
0x 5A28
0x 5A2C
0x 5A30
0x 5A34
0x 5A38
0x 5A3C
0x 5A40
0x 5A44
0x 5A48
0x 5A4C
0x 5A50
0x 5A54
0x 5A58
0x 5A5C
0x 5A60
0x 5A64
0x 5A68
0x 5A6C
0x 5A70
0x 5A74
0x 5A80
0x 5A84
0x 5A88
0x 5A8C
0x 5A90
0x 5A94
0x 5A98
0x 5A9C
0x 5AA0
0x 5AA4
0x 5AA8
0x 5AAC
0x 5AB0
0x 5AB4
0x 5AB8
0x 5ABC
0x 5AC0
0x 5AC4
0x 5AC8
0x 5ACC
0x 5AD0
0x 5AD4
0x 5AD8
0x 5ADC
0x 5AE0
0x 5AE4
0x 5AE8
0x 5AEC
0x 5AF0
0x 5AF4
0x 5AF8
0x 5AFC
0x 5B00
0x 5B04
0x 5B08
0x 5B0C
0x 5B10
0x 5B14
0x 5B18
0x 5B34
0x 5B38
0x 5B3C
0x 5B40
0x 5B44
0x 5B48
0x 5B4C
0x 5B50
0x 5B54
0x 5B58
0x 5B5C
0x 5B60
0x 5B64
0x 5B68
0x 5B6C
0x 5B70
0x 5B74
0x 5B78
0x 5B7C
0x 5B80
0x 5B84
0x 5B88
0x 5B8C
0x 5B90
0x 5B94
0x 5B98
0x 5B9C
0x 5BA0
0x 5BA4
0x 5BAC
0x 5BB0
0x 5BB8
0x 5BBC
0x 5BC0
0x 5BCC
0x 5BD0
0x 5BD4
0x 5BD8
0x 5BDC
0x 5BE0
0x 5BE4
0x 5BE8
0x 5BF0
0x 5BF4
0x 5BF8
0x 5BFC
0x 57B0
0x 58CC
0x E58
0x 58EC
0x 58F8
0x 5770
0x 5818
0x 57B4
0x 5910
0x 57AC
0x 5914
0x 58E0
0x 590C
0x 5908
0x 5900
0x 58E8
0x 5918
0x 244C
0x 5B08
0x 5B28
0x 2470
0x 57B0
0x 58C8
0x 5C04
0x 5C08
0x 5C0C
0x 5C10
0x 5C14
0x 5C18
0x 5C1C
0x 5C20
0x 5C24
0x 5C28
0x 5C2C
0x 5C30
0x 5C34
0x 5C38
0x 5C3C
0x 5C40
0x 5C44
0x 5C48
0x 5C4C
0x 5C50
0x 5C58
0x 5C5C
0x 5C60
0x 5C64
0x 5C68
0x 5C6C
0x 5C70
0x 5C74
0x 5C78
0x 5C7C
0x 5C80
0x 5C94
0x 5C98
0x 5C9C
0x 5CA0
0x 5CA4
0x 5CA8
0x 5CAC
0x 5CB0
0x 5CB4
0x 5CB8
0x 5CBC
0x 5CC0
0x 5CC4
0x 5CC8
0x 5CCC
0x 5CD0
0x 5CD4
0x 5CD8
0x 5CDC
0x 5CE0
0x 5CE4
0x 5CE8
0x 5CEC
0x 5CF0
0x 5CF4
0x 5CF8
0x 5CFC
0x 5D00
0x 5D04
0x 5D08
0x 5D0C
0x 5D10
0x 5D14
0x 5D18
0x 5D1C
0x 5D20
0x 5D24
0x 5D28
0x 5D2C
0x 5D30
0x 5D34
0x 5D38
0x 5D3C
0x 5D40
0x 5D48
0x 5D4C
0x 5D50
0x 5D54
0x 5D58
0x 5D5C
0x 5D60
0x 5D64
0x 5D68
0x 5D6C
0x 5D70
0x 5D74
0x 5D78
0x 5D7C
0x 5D80
0x 5D84
0x 5D88
0x 5D8C
0x 5D90
0x 5D94
0x 5D98
0x 5D9C
0x 5DA0
0x 5DA4
0x 5DA8
0x 5DAC
0x 5DB0
0x 5DB4
0x 5DB8
0x 5DBC
0x 5DC0
0x 5DC4
0x 5DC8
0x 5DCC
0x 5DD0
0x 5DD4
0x 5DD8
0x 5DDC
0x 5DE0
0x 5DE4
0x 5DE8
0x 5DEC
0x 5DF0
0x 5DF4
0x 5DF8
0x 5DFC
0x 5E00
0x 5E04
0x 5E08
0x 5E0C
0x 5E10
0x 5E14
0x 5E18
0x 5E1C
0x 5E20
0x 5E24
0x 5E28
0x 5E2C
0x 5E30
0x 5E3C
0x 5E40
0x 5E44
0x 5E48
0x 5E4C
0x 5E58
0x 5E5C
0x 5E60
0x 5E64
0x 5E68
0x 5E74
0x 5E78
0x 5E7C
0x 5E84
0x 5E88
0x 5E8C
0x 5E90
0x 5E9C
0x 5EA0
0x 5EA4
0x 5EA8
0x 5EB8
0x 5EBC
0x 5EC0
0x 5EC4
0x 5EC8
0x 5ED0
0x 5ED4
0x 5ED8
0x 5EDC
0x 5EE0
0x 5EE4
0x 5EE8
0x 5EEC
0x 5EF0
0x 5EF4
0x 5EF8
0x 5EFC
0x 5F00
0x 5F04
0x 5F08
0x 5F0C
0x 5F10
0x 5F14
0x 5F18
0x 5F1C
0x 5F20
0x 5F24
0x 5F28
0x 5F2C
0x 5F30
0x 5F34
0x 5F38
0x 5F3C
0x 5F40
0x 5F44
0x 5F48
0x 5F4C
0x 5F50
0x 5F54
0x 5F68
0x 5F6C
0x 5F70
0x 5F74
0x 5F80
0x 5F84
0x 5F8C
0x 5F90
0x 5F98
0x 5F9C
0x 5FA0
0x 5FA4
0x 5FB4
0x 5FB8
0x 5FBC
0x 5FC0
0x 5FC4
0x 5FC8
0x 5FCC
0x 5FD0
0x 5FD4
0x 5FD8
0x 5FDC
0x 5FE0
0x 5FE4
0x 5FE8
0x 5FF0
0x 5FF4
0x 5FF8
0x 5FFC
0x 5BC8
0x 5BEC
0x 5B20
0x 5B30
0x 5BB4
0x 2454
0x 5BA8
0x 5B2C
0x 5C88
0x 5D44
0x 58F4
0x 58FC
0x 58F0
0x 5904
0x 58DC
0x 576C
0x 58D0
0x 5BC4
0x 5B1C
0x 5B24
0x 5C84
0x 5E4C
0x 5E70
0x 5EB4
0x 5ECC
0x 5E54
0x 5E94
0x 5EB0
0x 5EAC
0x 5E98
0x 5E50
0x 5E80
0x 5E6C
0x 5F44
0x 5F64
0x 5FAC
0x 5FB0
0x 5F5C
0x 5F7C
0x 6004
0x 6008
0x 600C
0x 6010
0x 6014
0x 6018
0x 601C
0x 6024
0x 6028
0x 602C
0x 6030
0x 603C
0x 6040
0x 6044
0x 6048
0x 604C
0x 6050
0x 6054
0x 6058
0x 6060
0x 6064
0x 6068
0x 606C
0x 6070
0x 6074
0x 6078
0x 607C
0x 6080
0x 6084
0x 6088
0x 608C
0x 6090
0x 6094
0x 60A0
0x 60A4
0x 60A8
0x 60AC
0x 60B0
0x 60B4
0x 60B8
0x 60BC
0x 60C0
0x 60C4
0x 60C8
0x 60CC
0x 60D0
0x 60D4
0x 60D8
0x 60DC
0x 60E0
0x 60E4
0x 60E8
0x 60EC
0x 60F0
0x 60F4
0x 60F8
0x 60FC
0x 6100
0x 6104
0x 6108
0x 610C
0x 6110
0x 6114
0x 6118
0x 611C
0x 6120
0x 6124
0x 6128
0x 612C
0x 6130
0x 6134
0x 6138
0x 613C
0x 6140
0x 6144
0x 6148
0x 614C
0x 6150
0x 6154
0x 6158
0x 615C
0x 6160
0x 6164
0x 6168
0x 616C
0x 6170
0x 6174
0x 6178
0x 617C
0x 6180
0x 6184
0x 6188
0x 618C
0x 6190
0x 6194
0x 6198
0x 619C
0x 61A0
0x 61A4
0x 61A8
0x 61AC
0x 61B0
0x 61B4
0x 61B8
0x 61BC
0x 61C0
0x 61C4
0x 61C8
0x 61CC
0x 61D0
0x 61D4
0x 61D8
0x 61DC
0x 61E0
0x 61E4
0x 61E8
0x 61EC
0x 61F0
0x 61F4
0x 61F8
0x 61FC
0x 6200
0x 6204
0x 6208
0x 620C
0x 6210
0x 6214
0x 6218
0x 621C
0x 6220
0x 6224
0x 6228
0x 622C
0x 6230
0x 6234
0x 6238
0x 623C
0x 6240
0x 6244
0x 6248
0x 624C
0x 6250
0x 6254
0x 6258
0x 625C
0x 6260
0x 6264
0x 6268
0x 626C
0x 6270
0x 6274
0x 6278
0x 627C
0x 6280
0x 6284
0x 6288
0x 628C
0x 6290
0x 6294
0x 6298
0x 629C
0x 62A0
0x 62A4
0x 62A8
0x 62AC
0x 62B0
0x 62B4
0x 62B8
0x 62BC
0x 62C0
0x 62C4
0x 62C8
0x 62CC
0x 62D0
0x 62D4
0x 62D8
0x 62DC
0x 62E0
0x 62E4
0x 62E8
0x 62EC
0x 62F0
0x 62F4
0x 62F8
0x 62FC
0x 6300
0x 6304
0x 6308
0x 630C
0x 6310
0x 6314
0x 6318
0x 631C
0x 6320
0x 6324
0x 6328
0x 632C
0x 6330
0x 6334
0x 6338
0x 633C
0x 6340
0x 6344
0x 6348
0x 634C
0x 6350
0x 6354
0x 6358
0x 635C
0x 6360
0x 6364
0x 6368
0x 636C
0x 6370
0x 6374
0x 6378
0x 637C
0x 6380
0x 6384
0x 6388
0x 638C
0x 6390
0x 6394
0x 6398
0x 639C
0x 63A0
0x 63A4
0x 63A8
0x 63AC
0x 63B0
0x 63B4
0x 63B8
0x 63BC
0x 63C0
0x 63C4
0x 63C8
0x 63CC
0x 63D0
0x 63D4
0x 63D8
0x 63DC
0x 63E0
0x 63E4
0x 63E8
0x 63EC
0x 63F0
0x 63F4
0x 63F8
0x 63FC
0x 5F60
0x 3C0
0x 1318
0x 6404
0x 6408
0x 640C
0x 6410
0x 6414
0x 6418
0x 641C
0x 6420
0x 6424
0x 6428
0x 642C
0x 6430
0x 6434
0x 6438
0x 643C
0x 6440
0x 6444
0x 6448
0x 644C
0x 6458
0x 645C
0x 6460
0x 6464
0x 6468
0x 646C
0x 6470
0x 6474
0x 6478
0x 647C
0x 6480
0x 6484
0x 6488
0x 648C
0x 6490
0x 6494
0x 64BC
0x 64C0
0x 64C4
0x 64C8
0x 64CC
0x 64D8
0x 64DC
0x 64E0
0x 64E4
0x 64EC
0x 64F0
0x 64F4
0x 64F8
0x 64FC
0x 6500
0x 6504
0x 6508
0x 650C
0x 6510
0x 6514
0x 6518
0x 651C
0x 6520
0x 6524
0x 6528
0x 652C
0x 6530
0x 6534
0x 6538
0x 653C
0x 6540
0x 6544
0x 6548
0x 654C
0x 6550
0x 6554
0x 6558
0x 6560
0x 6564
0x 6568
0x 656C
0x 6570
0x 6574
0x 6578
0x 657C
0x 6580
0x 6584
0x 6588
0x 658C
0x 6590
0x 6594
0x 6598
0x 659C
0x 65A0
0x 65AC
0x 65B0
0x 65B4
0x 65B8
0x 65BC
0x 65C0
0x 65C4
0x 65C8
0x 65CC
0x 65D0
0x 65D4
0x 65E0
0x 65E4
0x 6600
0x 6604
0x 6608
0x 660C
0x 6610
0x 6614
0x 6618
0x 6624
0x 6628
0x 662C
0x 6630
0x 6634
0x 6638
0x 663C
0x 6640
0x 6644
0x 6648
0x 664C
0x 6650
0x 6654
0x 6658
0x 665C
0x 6660
0x 6664
0x 6668
0x 666C
0x 6670
0x 6674
0x 6678
0x 667C
0x 6680
0x 6684
0x 6688
0x 668C
0x 6690
0x 6694
0x 6698
0x 669C
0x 66A0
0x 66A4
0x 66A8
0x 66AC
0x 66B0
0x 66B4
0x 66B8
0x 66BC
0x 66C0
0x 66C4
0x 66C8
0x 66CC
0x 66D0
0x 66D4
0x 66D8
0x 66DC
0x 66E0
0x 66E8
0x 66EC
0x 66F0
0x 66F4
0x 66F8
0x 66FC
0x 6700
0x 6704
0x 6708
0x 670C
0x 6710
0x 6714
0x 6718
0x 671C
0x 6720
0x 6724
0x 6728
0x 672C
0x 6730
0x 6734
0x 6738
0x 673C
0x 6740
0x 6744
0x 6748
0x 674C
0x 6750
0x 6754
0x 6758
0x 675C
0x 6760
0x 6764
0x 6768
0x 676C
0x 6770
0x 6774
0x 6778
0x 677C
0x 6780
0x 6784
0x 6788
0x 678C
0x 6790
0x 6794
0x 6798
0x 679C
0x 67A0
0x 67A4
0x 67A8
0x 67AC
0x 67B0
0x 67B4
0x 67B8
0x 67BC
0x 67C0
0x 67C4
0x 67C8
0x 67CC
0x 67D0
0x 67D4
0x 67D8
0x 67DC
0x 67E0
0x 67E4
0x 67E8
0x 67EC
0x 67F0
0x 67F4
0x 67F8
0x 67FC
0x 6494
0x 64A8
0x 64D4
0x 64E8
0x 64D0
0x 649C
0x 64B0
0x 64B8
0x 6498
0x 655C
0x 64B4
0x 64AC
0x 64A4
0x 65A0
0x 65DC
0x 65FC
0x 661C
0x 65F8
0x 3F4
0x 65A8
0x 65EC
0x 65F4
0x 65F0
0x 65A4
0x 65E8
0x 65D8
0x 1314
0x 1304
0x 4B4
0x 558
0x 300
0x CC4
0x 3D4
0x 850
0x 540
0x 988
0x 480
0x A64
0x 6804
0x 6814
0x 6818
0x 6820
0x 6824
0x 682C
0x 6830
0x 6834
0x 6844
0x 684C
0x 6850
0x 6854
0x 6858
0x 685C
0x 6860
0x 6864
0x 6868
0x 686C
0x 6870
0x 6874
0x 6878
0x 687C
0x 6880
0x 6884
0x 6888
0x 688C
0x 6890
0x 6894
0x 6898
0x 689C
0x 68A4
0x 68A8
0x 68AC
0x 68B0
0x 68B4
0x 68B8
0x 68BC
0x 68C0
0x 68C4
0x 68C8
0x 68CC
0x 68D0
0x 68D4
0x 68D8
0x 68DC
0x 68E0
0x 68E4
0x 68E8
0x 68EC
0x 68F0
0x 68F4
0x 68F8
0x 68FC
0x 6900
0x 6904
0x 6908
0x 690C
0x 6910
0x 6914
0x 6918
0x 691C
0x 6920
0x 6924
0x 6928
0x 692C
0x 6930
0x 6934
0x 6938
0x 693C
0x 6940
0x 6944
0x 6948
0x 694C
0x 6950
0x 6954
0x 6958
0x 695C
0x 6960
0x 6964
0x 6968
0x 696C
0x 6970
0x 6974
0x 6978
0x 697C
0x 6980
0x 6984
0x 6988
0x 698C
0x 6990
0x 6994
0x 6998
0x 699C
0x 69A0
0x 69A4
0x 69A8
0x 69AC
0x 69B0
0x 69B4
0x 69B8
0x 69BC
0x 69C8
0x 69CC
0x 69D0
0x 69D4
0x 69D8
0x 69E4
0x 69E8
0x 69EC
0x 69F4
0x 69F8
0x 69FC
0x 6A04
0x 6A08
0x 6A0C
0x 6A10
0x 6A14
0x 6A18
0x 6A1C
0x 6A20
0x 6A24
0x 6A28
0x 6A2C
0x 6A30
0x 6A34
0x 6A38
0x 6A3C
0x 6A40
0x 6A44
0x 6A48
0x 6A4C
0x 6A50
0x 6A58
0x 6A5C
0x 6A60
0x 6A64
0x 6A68
0x 6A6C
0x 6A70
0x 6A74
0x 6A78
0x 6A7C
0x 6A80
0x 6A84
0x 6A88
0x 6A8C
0x 6A90
0x 6A94
0x 6A98
0x 6A9C
0x 6AA0
0x 6AA4
0x 6AA8
0x 6AAC
0x 6AB0
0x 6AB4
0x 6AB8
0x 6ABC
0x 6AC0
0x 6AC4
0x 6AC8
0x 6ACC
0x 6AD0
0x 6AD4
0x 6AD8
0x 6ADC
0x 6AE0
0x 6AE4
0x 6AE8
0x 6AEC
0x 6AF0
0x 6AF4
0x 6AF8
0x 6AFC
0x 6B00
0x 6B04
0x 6B08
0x 6B0C
0x 6B10
0x 6B14
0x 6B18
0x 6B1C
0x 6B20
0x 6B24
0x 6B28
0x 6B2C
0x 6B30
0x 6B34
0x 6B38
0x 6B3C
0x 6B40
0x 6B44
0x 6B48
0x 6B4C
0x 6B50
0x 6B54
0x 6B58
0x 6B5C
0x 6B60
0x 6B64
0x 6B68
0x 6B6C
0x 6B70
0x 6B74
0x 6B78
0x 6B7C
0x 6B80
0x 6B84
0x 6B88
0x 6B8C
0x 6B90
0x 6B98
0x 6B9C
0x 6BA0
0x 6BA4
0x 6BA8
0x 6BAC
0x 6BB0
0x 6BB4
0x 6BB8
0x 6BBC
0x 6BC0
0x 6BC4
0x 6BC8
0x 6BCC
0x 6BD0
0x 6BD4
0x 6BD8
0x 6BDC
0x 6BE0
0x 6BEC
0x 6BF0
0x 6BF4
0x 6BF8
0x 6BFC
0x 850
0x 680C
0x 6840
0x 6848
0x 683C
0x 3CC
0x 681C
0x 6838
0x 3F0
0x 6828
0x 6810
0x 6808
0x 880
0x 298
0x 844
0x 2410
0x 21E8
0x 6984
0x 69E0
0x 6C04
0x 6C08
0x 6C0C
0x 6C10
0x 6C14
0x 6C18
0x 6C1C
0x 6C20
0x 6C24
0x 6C28
0x 6C30
0x 6C34
0x 6C38
0x 6C3C
0x 6C40
0x 6C44
0x 6C48
0x 6C4C
0x 6C50
0x 6C54
0x 6C58
0x 6C5C
0x 6C60
0x 6C64
0x 6C68
0x 6C6C
0x 6C70
0x 6C74
0x 6C78
0x 6C7C
0x 6C80
0x 6C84
0x 6C88
0x 6C8C
0x 6C90
0x 6C94
0x 6C98
0x 6C9C
0x 6CA0
0x 6CA4
0x 6CA8
0x 6CAC
0x 6CB0
0x 6CB4
0x 6CB8
0x 6CBC
0x 6CC0
0x 6CC4
0x 6CC8
0x 6CCC
0x 6CD0
0x 6CD4
0x 6CD8
0x 6CDC
0x 6CE0
0x 6CE4
0x 6CE8
0x 6CEC
0x 6CF0
0x 6CF4
0x 6CF8
0x 6CFC
0x 6D00
0x 6D04
0x 6D08
0x 6D0C
0x 6D10
0x 6D14
0x 6D18
0x 6D1C
0x 6D20
0x 6D24
0x 6D28
0x 6D2C
0x 6D30
0x 6D34
0x 6D38
0x 6D3C
0x 6D40
0x 6D44
0x 6D48
0x 6D4C
0x 6D50
0x 6D54
0x 6D58
0x 6D5C
0x 6D60
0x 6D64
0x 6D68
0x 6D6C
0x 6D70
0x 6D74
0x 6D78
0x 6D7C
0x 6D80
0x 6D84
0x 6D88
0x 6D8C
0x 6D90
0x 6D94
0x 6D98
0x 6D9C
0x 6DA0
0x 6DA4
0x 6DA8
0x 6DAC
0x 6DB0
0x 6DB4
0x 6DB8
0x 6DBC
0x 6DC0
0x 6DC4
0x 6DC8
0x 6DCC
0x 6DD0
0x 6DD4
0x 6DD8
0x 6DDC
0x 6DE0
0x 6DE4
0x 6DE8
0x 6DEC
0x 6DF0
0x 6DF4
0x 6DF8
0x 6DFC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007f5b0000 0x7f5b0000 0x7f5b0fff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000009738e10000 0x9738e10000 0x9738e2ffff Private Memory rw True False False -
pagefile_0x0000009738e10000 0x9738e10000 0x9738e1ffff Pagefile Backed Memory rw True False False -
private_0x0000009738e20000 0x9738e20000 0x9738e26fff Private Memory rw True False False -
pagefile_0x0000009738e30000 0x9738e30000 0x9738e43fff Pagefile Backed Memory r True False False -
private_0x0000009738e50000 0x9738e50000 0x9738f4ffff Private Memory rw True False False -
pagefile_0x0000009738f50000 0x9738f50000 0x9738f53fff Pagefile Backed Memory r True False False -
pagefile_0x0000009738f60000 0x9738f60000 0x9738f60fff Pagefile Backed Memory r True False False -
private_0x0000009738f70000 0x9738f70000 0x9738f71fff Private Memory rw True False False -
private_0x0000009738f80000 0x9738f80000 0x9738f86fff Private Memory rw True False False -
private_0x0000009738f90000 0x9738f90000 0x9738f90fff Private Memory rw True False False -
private_0x0000009738fa0000 0x9738fa0000 0x973909ffff Private Memory rw True False False -
locale.nls 0x97390a0000 0x973915dfff Memory Mapped File r False False False -
private_0x0000009739160000 0x9739160000 0x973925ffff Private Memory rw True False False -
private_0x0000009739260000 0x9739260000 0x9739260fff Private Memory rw True False False -
private_0x0000009739270000 0x9739270000 0x973927ffff Private Memory rw True False False -
private_0x0000009739270000 0x9739270000 0x9739283fff Private Memory rw True False False -
pagefile_0x0000009739270000 0x9739270000 0x9739282fff Pagefile Backed Memory rw True False False -
private_0x0000009739270000 0x9739270000 0x9739272fff Private Memory rwx True False False -
private_0x0000009739270000 0x9739270000 0x9739271fff Private Memory rwx True False False -
pagefile_0x0000009739280000 0x9739280000 0x9739280fff Pagefile Backed Memory rw True False False -
pagefile_0x0000009739290000 0x9739290000 0x9739297fff Pagefile Backed Memory rw True False False -
pagefile_0x0000009739290000 0x9739290000 0x97392a2fff Pagefile Backed Memory rw True False False -
pagefile_0x0000009739290000 0x9739290000 0x9739290fff Pagefile Backed Memory r True False False -
private_0x0000009739290000 0x9739290000 0x9739292fff Private Memory rw True False False -
pagefile_0x00000097392a0000 0x97392a0000 0x97392a0fff Pagefile Backed Memory r True False False -
cversions.2.db 0x97392b0000 0x97392b3fff Memory Mapped File r True False False -
private_0x00000097392c0000 0x97392c0000 0x97392cffff Private Memory rw True False False -
pagefile_0x00000097392d0000 0x97392d0000 0x9739457fff Pagefile Backed Memory r True False False -
pagefile_0x0000009739460000 0x9739460000 0x97395e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000097395f0000 0x97395f0000 0x973a9effff Pagefile Backed Memory r True False False -
private_0x000000973a9f0000 0x973a9f0000 0x973aaeffff Private Memory rw True False False -
pagefile_0x000000973aaf0000 0x973aaf0000 0x973b2effff Pagefile Backed Memory rw True False False -
sortdefault.nls 0x973aaf0000 0x973ae26fff Memory Mapped File r False False False -
private_0x000000973ae30000 0x973ae30000 0x973af2ffff Private Memory rw True False False -
pagefile_0x000000973ae30000 0x973ae30000 0x973ae30fff Pagefile Backed Memory rw True False False -
private_0x000000973ae30000 0x973ae30000 0x973ae45fff Private Memory rw True False False -
pagefile_0x000000973ae30000 0x973ae30000 0x973ae45fff Pagefile Backed Memory rw True False False -
pagefile_0x000000973ae50000 0x973ae50000 0x973ae65fff Pagefile Backed Memory rw True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db 0x973af30000 0x973af72fff Memory Mapped File r True False False -
cversions.2.db 0x973af80000 0x973af83fff Memory Mapped File r True False False -
propsys.dll.mui 0x973af90000 0x973afa0fff Memory Mapped File r False False False -
cversions.2.db 0x973afb0000 0x973afb3fff Memory Mapped File r True False False -
pagefile_0x000000973afc0000 0x973afc0000 0x973afc0fff Pagefile Backed Memory rw True False False -
private_0x000000973afd0000 0x973afd0000 0x973afdffff Private Memory rw True False False -
private_0x000000973afe0000 0x973afe0000 0x973b0dffff Private Memory rw True False False -
private_0x000000973b0e0000 0x973b0e0000 0x973b1dffff Private Memory rw True False False -
private_0x000000973b1e0000 0x973b1e0000 0x973b2dffff Private Memory rw True False False -
private_0x000000973b2e0000 0x973b2e0000 0x973b3dffff Private Memory rw True False False -
pagefile_0x000000973b2f0000 0x973b2f0000 0x973baeffff Pagefile Backed Memory rw True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0x973b3e0000 0x973b46afff Memory Mapped File r True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db 0x973b470000 0x973b482fff Memory Mapped File r True False False -
private_0x000000973b490000 0x973b490000 0x973b58ffff Private Memory rw True False False -
private_0x000000973b590000 0x973b590000 0x973b68ffff Private Memory rw True False False -
pagefile_0x000000973b590000 0x973b590000 0x973bd8ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000973b590000 0x973b590000 0x973b590fff Pagefile Backed Memory rw True False False -
private_0x000000973b590000 0x973b590000 0x973b5a3fff Private Memory rw True False False -
pagefile_0x000000973b590000 0x973b590000 0x973b5a5fff Pagefile Backed Memory rw True False False -
private_0x000000973b590000 0x973b590000 0x973b684fff Private Memory rw True False False -
pagefile_0x000000973b5b0000 0x973b5b0000 0x973bdaffff Pagefile Backed Memory rw True False False -
private_0x000000973b690000 0x973b690000 0x973b78ffff Private Memory rw True False False -
private_0x000000973b690000 0x973b690000 0x973b692fff Private Memory rw True False False -
private_0x000000973b6a0000 0x973b6a0000 0x973b79ffff Private Memory rw True False False -
private_0x000000973b790000 0x973b790000 0x973b88ffff Private Memory rw True False False -
private_0x000000973b790000 0x973b790000 0x973b792fff Private Memory rw True False False -
private_0x000000973b890000 0x973b890000 0x973b98ffff Private Memory rw True False False -
private_0x000000973b990000 0x973b990000 0x973ba8ffff Private Memory rw True False False -
pagefile_0x000000973ba90000 0x973ba90000 0x973ba90fff Pagefile Backed Memory rw True False False -
private_0x000000973ba90000 0x973ba90000 0x973bb8ffff Private Memory rw True False False -
private_0x000000973baa0000 0x973baa0000 0x973baa2fff Private Memory rw True False False -
private_0x000000973bab0000 0x973bab0000 0x973bab2fff Private Memory rw True False False -
private_0x000000973bb90000 0x973bb90000 0x973bc8ffff Private Memory rw True False False -
private_0x000000973bc90000 0x973bc90000 0x973bd8ffff Private Memory rw True False False -
pagefile_0x000000973bd90000 0x973bd90000 0x973c58ffff Pagefile Backed Memory rw True False False -
private_0x000000973bd90000 0x973bd90000 0x973be8ffff Private Memory rw True False False -
pagefile_0x000000973bdb0000 0x973bdb0000 0x973c5affff Pagefile Backed Memory rw True False False -
private_0x000000973be90000 0x973be90000 0x973bf8ffff Private Memory rw True False False -
private_0x000000973bf90000 0x973bf90000 0x973c08ffff Private Memory rw True False False -
private_0x000000973c090000 0x973c090000 0x973c18ffff Private Memory rw True False False -
private_0x000000973c190000 0x973c190000 0x973c28ffff Private Memory rw True False False -
private_0x000000973c290000 0x973c290000 0x973c38ffff Private Memory rw True False False -
pagefile_0x000000973c5b0000 0x973c5b0000 0x973c5c5fff Pagefile Backed Memory rw True False False -
private_0x00007ff6d34ae000 0x7ff6d34ae000 0x7ff6d34affff Private Memory rw True False False -
private_0x00007ff6d34b0000 0x7ff6d34b0000 0x7ff6d34b1fff Private Memory rw True False False -
private_0x00007ff6d34b2000 0x7ff6d34b2000 0x7ff6d34b3fff Private Memory rw True False False -
private_0x00007ff6d34b4000 0x7ff6d34b4000 0x7ff6d34b5fff Private Memory rw True False False -
private_0x00007ff6d34b6000 0x7ff6d34b6000 0x7ff6d34b7fff Private Memory rw True False False -
private_0x00007ff6d34b8000 0x7ff6d34b8000 0x7ff6d34b9fff Private Memory rw True False False -
private_0x00007ff6d34ba000 0x7ff6d34ba000 0x7ff6d34bbfff Private Memory rw True False False -
private_0x00007ff6d34bc000 0x7ff6d34bc000 0x7ff6d34bdfff Private Memory rw True False False -
private_0x00007ff6d34be000 0x7ff6d34be000 0x7ff6d34bffff Private Memory rw True False False -
private_0x00007ff6d34c0000 0x7ff6d34c0000 0x7ff6d34c1fff Private Memory rw True False False -
private_0x00007ff6d34c2000 0x7ff6d34c2000 0x7ff6d34c3fff Private Memory rw True False False -
private_0x00007ff6d34c4000 0x7ff6d34c4000 0x7ff6d34c5fff Private Memory rw True False False -
private_0x00007ff6d34c6000 0x7ff6d34c6000 0x7ff6d34c7fff Private Memory rw True False False -
private_0x00007ff6d34c8000 0x7ff6d34c8000 0x7ff6d34c9fff Private Memory rw True False False -
private_0x00007ff6d34ca000 0x7ff6d34ca000 0x7ff6d34cbfff Private Memory rw True False False -
private_0x00007ff6d34cc000 0x7ff6d34cc000 0x7ff6d34cdfff Private Memory rw True False False -
private_0x00007ff6d34ce000 0x7ff6d34ce000 0x7ff6d34cffff Private Memory rw True False False -
pagefile_0x00007ff6d34d0000 0x7ff6d34d0000 0x7ff6d35cffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6d35d0000 0x7ff6d35d0000 0x7ff6d35f2fff Pagefile Backed Memory r True False False -
private_0x00007ff6d35f3000 0x7ff6d35f3000 0x7ff6d35f4fff Private Memory rw True False False -
private_0x00007ff6d35f5000 0x7ff6d35f5000 0x7ff6d35f6fff Private Memory rw True False False -
private_0x00007ff6d35f7000 0x7ff6d35f7000 0x7ff6d35f8fff Private Memory rw True False False -
private_0x00007ff6d35f9000 0x7ff6d35f9000 0x7ff6d35fafff Private Memory rw True False False -
private_0x00007ff6d35fb000 0x7ff6d35fb000 0x7ff6d35fcfff Private Memory rw True False False -
private_0x00007ff6d35fd000 0x7ff6d35fd000 0x7ff6d35fefff Private Memory rw True False False -
private_0x00007ff6d35ff000 0x7ff6d35ff000 0x7ff6d35fffff Private Memory rw True False False -
mksmd.exe 0x7ff6d3e70000 0x7ff6d4205fff Memory Mapped File rwx True True False
...
actxprxy.dll 0x7ffc48ff0000 0x7ffc49459fff Memory Mapped File rwx False False False -
urlmon.dll 0x7ffc4b540000 0x7ffc4b6d6fff Memory Mapped File rwx False False False -
iertutil.dll 0x7ffc4ddd0000 0x7ffc4e145fff Memory Mapped File rwx False False False -
propsys.dll 0x7ffc511b0000 0x7ffc51332fff Memory Mapped File rwx False False False -
winnsi.dll 0x7ffc51c30000 0x7ffc51c3afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7ffc51c50000 0x7ffc51c87fff Memory Mapped File rwx False False False -
apphelp.dll 0x7ffc52cd0000 0x7ffc52d47fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7ffc52d70000 0x7ffc52e05fff Memory Mapped File rwx False False False -
mpr.dll 0x7ffc53810000 0x7ffc5382bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7ffc53a90000 0x7ffc53ac2fff Memory Mapped File rwx False False False -
userenv.dll 0x7ffc53b80000 0x7ffc53b9efff Memory Mapped File rwx False False False -
cryptsp.dll 0x7ffc54210000 0x7ffc54226fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7ffc54280000 0x7ffc5428afff Memory Mapped File rwx False False False -
sspicli.dll 0x7ffc54320000 0x7ffc5434bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7ffc543d0000 0x7ffc5443afff Memory Mapped File rwx False False False -
profapi.dll 0x7ffc54580000 0x7ffc54592fff Memory Mapped File rwx False False False -
powrprof.dll 0x7ffc545a0000 0x7ffc545e9fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7ffc54610000 0x7ffc5461efff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7ffc54620000 0x7ffc54663fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7ffc54670000 0x7ffc54c97fff Memory Mapped File rwx False False False -
shcore.dll 0x7ffc54f80000 0x7ffc55032fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
imm32.dll 0x7ffc55280000 0x7ffc552b5fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
msctf.dll 0x7ffc55380000 0x7ffc554dbfff Memory Mapped File rwx False False False -
user32.dll 0x7ffc554e0000 0x7ffc5562dfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7ffc55910000 0x7ffc559cdfff Memory Mapped File rwx False False False -
shell32.dll 0x7ffc559d0000 0x7ffc56ef4fff Memory Mapped File rwx False False False -
nsi.dll 0x7ffc56f00000 0x7ffc56f07fff Memory Mapped File rwx False False False -
gdi32.dll 0x7ffc56f10000 0x7ffc57094fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
combase.dll 0x7ffc571d0000 0x7ffc5744bfff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ole32.dll 0x7ffc57750000 0x7ffc57890fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7ffc578a0000 0x7ffc578f0fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7ffc57970000 0x7ffc57a14fff Memory Mapped File rwx False False False -
advapi32.dll 0x7ffc57aa0000 0x7ffc57b45fff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
For performance reasons, the remaining 296 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.bmp.RYK 784.33 KB MD5: 9ce5ca70571523db2aad14686621850f
SHA1: c4688e7054769426a96b6cb270478d3974484f50
SHA256: 3205b49de41b2e98eaa6872b03b48a5b689169f39b01dcb7bb4efb78fb4f429f
SSDeep: 24576:zBULrNPYuFMlSsBSun2Z+/78Vd53xzdvx:zufNPYgVsAuZAv5hZvx 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini.RYK 0.64 KB MD5: bf25a28a556d74e7e41f07d8c9a6ac26
SHA1: bd8b0fb6ff90b8289650dcacb100620605bed23d
SHA256: 3e1059ced26467b29d20073413477e69b7b30504c7fea76e06c16ad80d06a570
SSDeep: 12:nxnJNpKipgH3t5l96I5qVaK5gVuXhru6E9d/ZpQM7so8yiKmOqArKURsn:xNKqgXt796QmaogV2hrqWyAFArHRsn 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\20\189.RYK 0.41 KB MD5: 28370f29899258417c535969c5f94d6b
SHA1: 375d9e9bb71a8baf14b664da843a64cd46e66f41
SHA256: ef80b50a562a80f185729e24aa9842dc2269178ecf850bc91f00de67c5115f29
SSDeep: 12:jEMfObfUmoP9eIEHm9N2PVmjYG8hVVwy7z3KN8MBon+:30f/oVe09NiGYpJ5X6m1+ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\XPS Viewer.lnk.RYK 1.38 KB MD5: 5d710f6cc567da3fe7073422b1cd0274
SHA1: c7e8ae725989ef735acd24f28b9232c81b301a12
SHA256: e2de02c161dfc02799d0ca4b3198c2abaa2d5f969713cd961068057369003c1c
SSDeep: 24:3Pgso61eGvndu1fLpGyLiYafZikkHZ6obh/xA2BxStQntJP3Z6caHJ7yLAbQeF:34t8eG+GNVik0Z6oVxFSSt1wcaELA0eF 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.007.etl.RYK 16.28 KB MD5: c760fa2416902fd7f67fe56aa9a7a49c
SHA1: 43050ecd961def482a8fbf18a7078c0737f5c933
SHA256: 1ee55f16e0bfc150370cb2831ecc14be22114fd4af76e3cc1a0a0ed52576c606
SSDeep: 384:ZderXfZXaUCCCB128lWgtuvcRxaC9fcl/u2LkxdfNZX5Iez2SJS:ZsrBXaHvH5tXDaCg/u2LkxdzDz2SJS 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\09\238.RYK 0.41 KB MD5: 3ee75fad0c5a50aa6673412f0a81eff8
SHA1: bde87006ea9ca2d809a5021b22b98920b4f2f22a
SHA256: 2e120b317376c514bf45e3010b72f1b3089f7e064d84cce52bb7d883a1d8dd90
SSDeep: 12:I+19BSHo1EWIFrJkwOB2hn2/xJGy0t26k0:D19BSHwSFCwTAL0tg0 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Sticky Notes.lnk.RYK 1.44 KB MD5: 7478b15cb951e611c0a970591dba315a
SHA1: bac1b0aae083ff428c99fa1a3406f3b236feb849
SHA256: 3c837c37574ef673c2647ab292c3eec5a6497840846c22b8d3188a891f5e1c21
SSDeep: 24:7w6Zfec5or4NjxSZuqMiHcU6vcQ7d9VzbMGHBTXKWkIinwu19pqUnUcmCwHvN48Q:dEc5GQxSQqMi8dZ/oGHBTKx19YUUlCq2 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini.RYK 2.81 KB MD5: 705efdc9771d2bd0d19ba721bdadebf2
SHA1: e6675d7a96b6a447b4f1c7308b38838783256d0f
SHA256: 4d58bd80f77bc68f1600c07f44c9615a5819ad092c5b19888ad6fb99ce78824c
SSDeep: 48:NGVAhKj4xwavgw1Vs8W67Vk0kxxQ01LhVTPOFnr70pIw1w5j/axJ920V3fj9tbm:NGVUO81Vs8WL0kxxV1LhdSr7ijqQTvJ+ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\2\61\EFAE1E6619D4EE51.dat.RYK 0.50 KB MD5: 9c47b5cde8f9e28be4a740089f1b083f
SHA1: 165045769f51e8f467e43a6ca75bfe7ee3105679
SHA256: da2ba656f7833954f918ad6aaeb32dbcc5d78ce231123284f4fcf22e158c1ed2
SSDeep: 12:y//BlHQI3J78oGYB0eA5WDtm9p+UMVoJWAhTPfxQyn:y3fQIyoGA0ZU3ozhTPfuy 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.014.etl.RYK 16.28 KB MD5: f08c07acdf770160ca9f24c77c46e8da
SHA1: 363e7f1d324dda6795eeb26255a5697d4a7fce15
SHA256: a9f1ea4fd455e0fa88029415fcd4edd345bef642ea3fef66bf8917f5809b22f9
SSDeep: 384:s1pnf/AVdidGjwRvm+IFKZSEbhJeVLHY61kvart6:sr/AGe3+IFK4Ene9Y6NA 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\191.RYK 0.41 KB MD5: df20b92bbb6bfc735721dcc202a97d05
SHA1: 5c8b2d41c6f80208b26a9171f910b0b6162822c4
SHA256: bc67fa908195648ef28379fbff26d64b4a4ca7acf16e44633838cfae1edf8a8e
SSDeep: 12:bwR88lq998WCOVVCnEPUq4FmUwQwnN+9OQL:si8EfNCAVCEP0UQI+9Ow 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.018.etl.RYK 16.28 KB MD5: 2e9546f59fa8e2e7068e9b169470bb4e
SHA1: 188bb513f61311c33d6b8926603b4d7aadac3a73
SHA256: 3ede06be15faaeb8613d1752b35be5daffdb2ee236471f12eedf64cc300193b2
SSDeep: 384:4eUmc9XPKyJX7Z/9XLtKKyXIAhJZ7mWpTozEh+E/SN:THIfKyVZ/rKQA3ZPpTo4XSN 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\317.RYK 0.41 KB MD5: fa647246742b6fb361b947d4d1ed9ac8
SHA1: c3fd00b0df0d9530f5d3d9b8517a64f8c7b51a94
SHA256: d19c17be36894b07ad9415b2581ca43000ce5e1a0fcd387a405a60760931efbd
SSDeep: 12:sSNQsyyB/WRzIY5bqdl8pPIjZlPObdr7nO:vSyZWR/bq0hIjPObN7nO 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\setup\refcount.ini.RYK 0.30 KB MD5: b79cd319abcfad5d60a1dc4b903823b6
SHA1: cde312aa1b5a9836b2373c6e34e742ec5409c3cf
SHA256: a5f6f84922289275196933e3345d4f69d8d9df304d8438c530dc55ab79e47386
SSDeep: 6:lzVGCN2VFob1J7ArZ26zxONWh5zXO2weCRDXvM9NFzYb46piuxLd2N5rI:GFK0ZLzxONQjOLXveC00JxB2U 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Acrobat Reader DC.lnk.RYK 2.67 KB MD5: 72be97604257b58fb66ab9525a6f2b51
SHA1: 2096842f536df27d69cf807adf3a343a0e36b507
SHA256: 6e6495c7e17eab179215f3ae9c70e73634a17887951325ec8e9d32fe86f5d2a1
SSDeep: 48:OvkeMHdDPH3QhT9eU9plbhBuapuEtas6pSQ/wfls28bPdsidlPbsT:OMvR3qBeWlbPuuuka5Jofls28bPPlPoT 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\About Java.lnk.RYK 2.33 KB MD5: ae21b145423e4a72054dc2fe48091838
SHA1: 04315b5a689e7a7301070f80154fd18c36ba257f
SHA256: c8149696df480f7730c0415e829b842a478ce727e0b6d30fabf51efd834226ba
SSDeep: 48:GnJSlAFIrX6okiFE0BSWXdodDWsJsJ0d4o7mLws3FoYjHtMMz:jl43Bli9tE/JP4o6YYj1 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Wordpad.lnk.RYK 1.41 KB MD5: 999121f24b5ad6557232561d9f68e286
SHA1: e35e797667966668d24bed814a557b5426d16bd5
SHA256: 2cb77e768fafeb44f9146dd66c6c0d0a76044a6ed130fd53ed0cc9b676e455b0
SSDeep: 24:4qYXn1wZHEE+jw7oKeeMysw4baahpRlESFITckXSuBGzcNQD12ptN9lpVvt+:4qYXIHLCwMKdZswiaatlESFIh7GzGqsE 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word 2016.lnk.RYK 2.67 KB MD5: 29d63779dc91fc4b7da0cc5ec414c451
SHA1: 67eb0245d688cff8edde5a5bba60bb322000e595
SHA256: fb72290f73d7d13f4e011f35ae9b48884d5c0b485fb2ce7a531e968546b3c58d
SSDeep: 48:j4wjErpmG4PSKbc7OJXjFLtKljWLPLmafyFGSgFqgf6IgVhEy1Ufp6zfgWU:j4wAVUPDbc7YKlaDL3fSGS+IIgV3kpqM 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini.RYK 0.46 KB MD5: 0fad7dbe16d35ff9d91f34c8d4e45a3e
SHA1: 9b4385b9b72ea52b194bba5d893b6c5d9c0ed8c1
SHA256: 6e03ce055d9e7aa7eb57a561d6a08988a3d6a11d66bea7d01a6d135181d5c9ab
SSDeep: 12:EY9UdKd2qemYxzwz7pSQqOto+ebC80fZVPEJlcF44QZ:EyUIgq7fqOve/0BVtZA 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-32.png.RYK 0.67 KB MD5: 2a8cd5721de9cdac4494ca0631e10845
SHA1: fc6d47fd3449af027cf15109d421c1f21022b3b2
SHA256: b1676ef87b0270c77d1fab4c406fd3b6d7a7a64d7e8b713d2931e3d45fd7ece9
SSDeep: 12:VoMqgcVTvUZ1oznCK6s85ATGNXpUPh5eP7jpL+VHMP8QCjWOkf4+F68wyb:mr5sZubCaIaIXpuh5eP/BGHMjQG4+FgS 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\03\324.RYK 0.41 KB MD5: 7d9258757d557b3ca1cf8038c8610ad8
SHA1: 6596abe6eb6766569797f891c94d65584b6cd63e
SHA256: 968b160d810d5b98a85b3c8b43676b9a24b75bd9d42080de395d33a5e88e4934
SSDeep: 6:rAOqF4IoHLJM0toQsp3327h04ms7CwfhLGSrBfjyeBAyEGH9Nw8TTTAkd8PZL+eX:cOtrJBtvuaBJN/Eg9pWPR+eVwY+zTy 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\193.RYK 0.41 KB MD5: 625afda9892eb294c1a9749144e8e5fa
SHA1: 42607b0769f644e507598cd115be583b32e5c160
SHA256: ef9457a1a97ebe77f6a483e2c7c57c86d3dc77f471233b6a02f0a474d1fc19e2
SSDeep: 12:mmqbUxZATwce08mkRsGXzWX9jhsvqUNeCBI23CS:m/hTD+HJeCm8CS 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\09\13711.RYK 0.41 KB MD5: 35db5be44bfafafcd428039d08beb63c
SHA1: 8032e4f39b9f8925ca9a4f8c51156e2152a343a8
SHA256: f756ea8179facc9e7bdeb6ce456e528e481c65f4738e8421fc5258f0d18d54d2
SSDeep: 6:AhvYpHW2hyWTY8Ofzd3FqnzgIIhXmwobPtChAODLYPaGQ6VhwJvuRVnluyaP+J3z:AJYppYDfzdVczTIowyeRXHGv0h4roel 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url.RYK 0.46 KB MD5: df47c7f823fc9204c6c41487f741005e
SHA1: 059729407d5114fd89dad5df746986cfd44c5478
SHA256: d35b0fb34beb249c8651df396b94c78b4c1c2898a2721a3add68170d634b69e1
SSDeep: 6:4LSav4VQvk+TC/ajxAqo9o2RGQ9nu5h9q99fOC6BKaabCKOlcY53sm3A381/P:Evxk2DxVo9o1Yn+h9q9tOZt9ym3AM13 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.021.etl.RYK 8.28 KB MD5: 5953cf626150923e94a99bb251db096f
SHA1: 6caf880d50c7bb27b96a34b1de0c2ab82e12baab
SHA256: f3d81bef59ff3af4a2be802bb006c5959609b17a4cc6cc4cae41459630deca52
SSDeep: 192:WqlFIILvsI3IcaZfD2ZPlvlrYHOv7IAlTOP:7fIIgI3I1ZfDSPlvSOM+TK 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint.lnk.RYK 2.67 KB MD5: 71e954f49812a366e994a0390fa81b1e
SHA1: 25f9dabc7a7f2872b9ca5b1467253b7b50649105
SHA256: 9e1b491ceb889cbbbeff500c90fb58bcff571ef6b2a540f3b9e7f89695dda24b
SSDeep: 48://kIYyLK6zyNkM7yUZIYIUokr3iyKZuhRXb5KP+THktowh+nhvibCxMeN00kZczD:/RYziEyUZIuokr3BKZS8sHOdh+nS+RWW 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\10\286.RYK 0.41 KB MD5: 595223669a0c8b13c845bb5615578ba1
SHA1: de57cc02dcdce85aefb3e6812cc568965711da92
SHA256: 39b604a72995f186c4522b8475c7caa795574cf60d35525e63c0e4bb79a6aa6a
SSDeep: 6:qEIOqdku3zjtNWiXVwyZW+MLSxaq7651ziwDmAiY2hG0ZAoPOXXDrvChEykXj7pa:PYSqzLWrScsWRLTnIAKhGbvmIBANhSS 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.005.etl.RYK 16.28 KB MD5: bee95e37d1d1207094e7bc8fbc4e615d
SHA1: ccaa75ec1a439e07ac3b2344695bda2eb8018299
SHA256: 363bc7f727273c56ea5938e6dc093f3a81e33df8787b4faa0acc294a0a15ba87
SSDeep: 384:/Xh1L8JFvBrn3rY0dBN2Bhp+WBandKoyUot:vUzbLZ2PpR40ohot 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\04\259.RYK 0.41 KB MD5: 0a829fdf530f48b23e78593aafc0e46d
SHA1: a6fa919d2f13f77b996b3ab26bbdfb102baa52a8
SHA256: 4b3e1b451abd77648a51bfb4ed4dde06432ea297ccd1df150f2bf02fcf82bfbf
SSDeep: 6:UKeCsFy1jzHbtQNNaqwObEqkpy4AR5xCE0xVo3OGZeh/1KauesHyz+A:UKeC317+NNaMh34A/xCdxe3pZc/1BLj 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Active.GRL.RYK 14.89 KB MD5: 7e8342a691ced2bd8e17aa5d87f7b50d
SHA1: 90d9caba4a89c196b1dd9c4f99526aea19a72c89
SHA256: d8dca38d5b5dce2b301da7acd9fe3075c6eb74548e2507f796321f1461094efc
SSDeep: 384:xqUSPbw/fAe8x6UZFBjT31/FWmgk0HZ4ayyay7W+UEVy:zdfATBjT31w0Ly7SEk 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Visio.lnk.RYK 2.38 KB MD5: 014ccd9ea90832b718c4d36582e83d2c
SHA1: 733ef3afef366cf2a2ae09debfc4fab27bc68a83
SHA256: 8095e1179a41ed8824da9ac2fdaceb80d7ce43a0250ec9e201af6e8a229bdc02
SSDeep: 48:vS8+M46PFNG9OvE5kGgnkZs9KJR69K/QDzbekD7P0cLEHSY:vD+wtEQv+snkK92R6dbekH/Y 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\04\261.RYK 0.41 KB MD5: 9260ee84cdd948a7f0a616e239a7fce4
SHA1: 090ecd365ce9e3070e5711484deb32f2b5fa2b54
SHA256: f8f033a3b676a5b81bcb148c7ae3c0dd424edd6f4b21b6cb4b4bcf22402f4c28
SSDeep: 12:HQMLjQvKBo3LOsld8NRUDgall+6j2JdlE:wMzBo3LOZ3UDgI+6GdO 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.009.etl.RYK 16.28 KB MD5: a83e23a51ef16db4bbb813f7ec7be29f
SHA1: 696b6d2c3ad500ba59e4b2e379e5bc3c6d222316
SHA256: 7e7947dc49421199a2f630c15a18eecb7ebeb35fb5065b541ae54265b9eebaf9
SSDeep: 384:vu5Esc/IREC+IiMvL/jP+rOykJR9EM0PSPMFDjfQ:vu5cmDiMrD+rOyuRKMmSz 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Project.lnk.RYK 2.39 KB MD5: 5251638440810f45dbd987be0874e715
SHA1: a6f45667b8fee7cb676d637abd0326b9bf20617e
SHA256: d00886f46f8030aea9b94c5832c7c4dca66b38a2b31f5368d87da687ecb98c30
SSDeep: 48:6R3Liso0kcGRbKWU7NJuuaHzxM+HkYcx1F05SIVSyKUYhza/ZTW:U3LBo0kcSKndaHzdHkYcj0SUbKUOd 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\06\13710.RYK 0.41 KB MD5: dcb79fd22992132709451cad76f83b93
SHA1: 55d150bb9df3c94bca510132c127672586b3b86a
SHA256: f4b6b54f8dfaf44b8de7f2592bbf5e8dab37523b2f4fddf3f698e7bc79201caf
SSDeep: 6:D680DfR03rsbyn1kZU0wv4nHgV+rypvTqfBNQBV239APAqIArH9X1jte5JMcf8fR:DXAby1IVwv4HCnRIQj2t47HY5JMcWj 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Check For Updates.lnk.RYK 2.35 KB MD5: 13997acab674989f0de606ceaaca2278
SHA1: 6994a9a64afc8a31a15d818038f658d901aaeaab
SHA256: 4f2cd40196b3f48826a238dbc495e302d72d64d7ababe959f0e3611e99b80b20
SSDeep: 48:AQovPJDhxOMc/KthEogJ+F8yhW5gfL39TwSQLBLRn8oTQHM6IBL52HjxZ:DuPJeMcShngJ0pkZBLy+R52DxZ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.010.etl.RYK 16.28 KB MD5: 6781944f1fc1fc62a0b9cce2c3922864
SHA1: ae9e3a725e52644cefb9d2592dacca5700a664e4
SHA256: fa23639146abd1c65d8357ba957584162b587cccc40533362047de97e206089a
SSDeep: 384:VfARKfvnLsr5tvjFwxZ1GetLj5+/yw5WZNAuT42JXa:VozvjFwxKeNj0WZ9Ja 		False
...
C:\Boot\BOOTSTAT.DAT 64.28 KB MD5: 6e48e19e0886eac333612fa2e99f8023
SHA1: 96744f7909303af9090ae47a76e41edb03a731f3
SHA256: 1c3e1dea59ece439a1f2017398c10fab8e8f51184eeaedfdbd52d02e8d707ea8
SSDeep: 1536:/Ps0yoopRFvUp+xsfYQ2qJgcm7/vIZnyyaT6MZrYo9/w1B2G96:/PlyjpRep+xamum7/Kny5JrYo9/w1gGc 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MpDiag.bin.RYK 0.39 KB MD5: 1e86e8aa2affb4c523ce95f39c9d2855
SHA1: cf53a76a7211c628fe60b7f289a2053a09cef88c
SHA256: b8db1b7e17f7156f35cb6dc88ca77bbbe45beb9852fc95490533d5f1ca999abe
SSDeep: 12:V2pgt1zfkfxrmwx58BYrewOQ8cV0v6feJ:V26vkfJmwx58BYrebQNV0SmJ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\263.RYK 0.41 KB MD5: e314d471f98f73d3dd62604fd7ddfea7
SHA1: 07a672f364fbfec5bfe242809b3ef3c3797ad25d
SHA256: 90a84369b8725eddd2afe281a8c8116dd380f8aa68212f1c690a5aaf99a49211
SSDeep: 12:RwLsgboYR4RETdYRKRvvnMYLCOuji9wdT+HfhX5YG:nYoYjxMY8ji6dT+HJX59 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\260.RYK 0.41 KB MD5: 383e19bbe28ec72d76dde73a8bb641cb
SHA1: a6f630ab949f154ed50a3d7147b9a6dc7da9b171
SHA256: cf26a515eaa16318193585cbb373e2c3c266ae05ae0181f548f003de357750ef
SSDeep: 6:woMHcauxOjxtV1E8JXAe6iUh/vl5U0rJJ5RfXzK2H3lfl7YN6Ng4Uo/REjdshn:w7HcauoLE41G/E+JDfvIN8U2qjdg 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini.RYK 0.64 KB MD5: 436ab3304d8b873d810cc87057a97c05
SHA1: 05f6b9f01c402869b793ab3f763081f946ec4bf7
SHA256: 59df6f424a8cdaabc43aef5c28e73bb299cd830d20d908c8d078a23acdc3b858
SSDeep: 12:zHr76evBqISHraS41AJILK7KgRwRVYbPRtaONBTShCBcAVQlRR9F+KfTaHPpgZ:zL76eZ+b4dkPO25SYBccOfF+Kf0BgZ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\198.RYK 0.41 KB MD5: 6252d44a67eaaf5eca31a1d22919028f
SHA1: 5bbf03ce8df9b0e0def8a93c8800accd792296ab
SHA256: c10ab43bfd38609d3fb70c89eab79a111dd4f677157655bceb83bd8c32a20e58
SSDeep: 12:W1h4LueGbPHiYwzKarTobMRTE2SVGZj4yDee5CVM:WUw/iLzKKIYg2jZMs 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Devices Flow.lnk.RYK 2.42 KB MD5: a5b81558735503a12d07bd4949d9b1f7
SHA1: e72155f9431cdcb586ca672b21663e461670c876
SHA256: 62d70b204ac256e00c6339fa6b6ca078b27fa407525302497f823a00b3c0552d
SSDeep: 48:4G5pKEXbbSGTyOi1Iung/y5DdGT5w7vjxvWwhNfnko8+rDEnb5OGBeoGRs:3f9beGOruymFw/xvWindr0eoGRs 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook.lnk.RYK 2.63 KB MD5: b6b9667135c28867eb8b0d9a2c9ab082
SHA1: 5ef46b9ab8a2170cc4feda092c44603292b066af
SHA256: 719637be00b991ef67e482e4e3faa3e9217b5c9b497d12cf3e227adb024fea9f
SSDeep: 48:7HLbw8dvrzF2bfYqUQbMWHAqwABx4/dEbE6OBDNPLF:73bzKRbMmNz4lEbE6QPJ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini.RYK 0.44 KB MD5: 1bbf85bf8d80c2707dfd86e9f5eac340
SHA1: 1a2407f6fb7f0f72dca03c83ed47e66be37a402c
SHA256: c597c78f930b4cae6aa4e00bb028fc4e39bce28b81fbae5f67e1227aa8868137
SSDeep: 12:pkt8bIySXrnqUsP00Q+dRwK7iolCgoDHNwm0Yk:Otdt7ncPK+dRw8iiC3imhk 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneDrive for Business.lnk.RYK 2.42 KB MD5: 460b5756adfb11ad91290019d7c1050b
SHA1: 605fc04caf74984986e4104ed56997be6da76b94
SHA256: 63949ca75f9496dbf6e36d8d646639ef4a61018f5db1b7e76c86a244d275c9c1
SSDeep: 48:eABwLVZBoeAQ4o9eYswZ9RX+U2hCb1YKmyFMdmxpP3SwKfQYmh6:ejLieCJYpUhCB4kMy9SwKfx3 		False
...
c:\programdata\microsoft\crypto\rsa\machinekeys\08e575673cce10c72090304839888e02_427a1946-e0ff-4097-8c9e-ca2c1e22780b 0.05 KB MD5: 93a5aadeec082ffc1bca5aa27af70f52
SHA1: 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256: a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SSDeep: 3:/lE7L6N:+L6N 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini.RYK 0.44 KB MD5: c1904bbc4d16c09d11924eec6ce70159
SHA1: 3df3b3c384159984af846493892fc3c368b02bed
SHA256: e6d1d9c5d642717fc39bd29a10070a5ea2a32109f3e99d339f8bebb6875d05aa
SSDeep: 12:B0KWp4vtYY5t3gMbIWNAJxwDTg+frCkWwX3vie23ao:B7lYK3gXWNAJxwDLRnviBF 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access.lnk.RYK 2.64 KB MD5: 882485d5140949b615c2aa5551972e77
SHA1: 3b358194f72983f6fbcda7c87a854fce3b7dcda9
SHA256: 479af70faa130cc183e5fbc3abf1e2951f6cfb470d9d047077cbe74016239eda
SSDeep: 48:UTY++U56QgqR6qovknK33pxNgE0lCbzkmxAE48g52Dlmw+QJ093KWpf/2sipsthV:I+6RgqR6qg33pbg9Yb45J8g5pxQJnWp3 		False
...
C:\BOOTSECT.BAK 8.28 KB MD5: 420177e81b5d588254cb266ff886e1b6
SHA1: 21a11f7e5586462e204ba1bac51511f4d7f68e02
SHA256: d7abf249fafefeb95f7d3ef44b02210c202e3b5e6f8642cbe099c5a57dc44297
SSDeep: 192:d8oNqu7YEaBXDkJbaUCm8XQQNvuk447dsMnIekdR4fN3Hl+:d8GKXXabL5XTk2XdR4l1+ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Task Manager.lnk.RYK 1.38 KB MD5: ea6864908039f3431e4985cdb1021391
SHA1: e1acef49ca309d0bf57527b33bf05769e873be9d
SHA256: c9af767c3aad9c814851f8209575aa2945883950e90500669a588a8a042a9e35
SSDeep: 24:VLg/Qh1HKfqxmAOVaADXuc+GTDzVuyfwGLaYG+jGhMKb6H3uxnqz3dK4aan:VLlhNccmrcc+G/ZFfwGRDMMKOHb384aa 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.002.etl.RYK 16.28 KB MD5: 4e94a77c32a6fa69aeae9117f51aff50
SHA1: ec61c1011cac1d4f883fb43767f348304905f035
SHA256: 3692c69afa0e608afc2b12f2bb7d16f8807b82bac1320adf7c9d6edfa64e40f5
SSDeep: 384:gSci3EiEYvomaxtBwuEFdLrTRguU/rnrRPKTtBGEf:OUEishtBwueHTeuU/LrZKTr 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook 2016.lnk.RYK 2.63 KB MD5: b035e1fc1b2341401b6e04f7e6591917
SHA1: 7fa2e5d60b8c0be47f46fb6af06f9352c60e542f
SHA256: f9ae7548a61e0d74e9a2948b7a1da2aee21ce88dd5b605608c5402d6eb967bcb
SSDeep: 48:q1zuVuHKK8KxccmcgB0AJq6ZPRAa3+3EAQpZ5nfcY1E+VbBTMn5a/LK5o+4D:JK8KcvN9YeSi5fcN+Vb6n5aO5ED 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Math Input Panel.lnk.RYK 1.42 KB MD5: 320b22529433a6193057ed03798ad8be
SHA1: 4893b176a35de20b609e5d8ddeffe46d2e21c05b
SHA256: 1243c4b127e6d4c92a46d1e80f86fa9cec7daa5b3b26dfd7476f100af61b96be
SSDeep: 24:/NyuhwQkRosswB3vpS9lMfRqu9T6L+cFZDzysQzAzcSexgvq8VFWN8RQn:IuhkRBB3vpHfk2TI+cFZDzLzcSchke8s 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.0.xml.RYK 2.21 KB MD5: e22e9bcbb84cdb870fb9393ad63c76f1
SHA1: 45a1da6119648b4083bbcfea2bcc46f1c15199a2
SHA256: 16a843994e9d30634d7c18db3fd6e4cddeb6f64fbba8372e0330b82654c2c8d6
SSDeep: 48:bhcJh3hCTa+lgk06nCmv9eaHh+e5lzWbDp/WshXq64bzti/izX/bVXWtx+:NcrIFyk06CfaHhN5Wl9h6g/K5XWH+ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.bmp.RYK 784.33 KB MD5: b582be723b9100ce350ea13bcab06cc3
SHA1: 6666cd59eb1e66d9a754b7ba499134576fd4d9f9
SHA256: e59dcdca51aac31b2d48d93eebbb50013e8e304a48e61a8141384b0d0c508bb7
SSDeep: 12288:yfh8rkzA3pMHAWYWCLCg8An5LZ8Nz7NJUo4z4y0ApKaV75oh06T2bPU/QcCj1Zk:yZW13SHApW4CC2rlNM75E06TaU/fys 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\installcache_x64\baseimagefam8.RYK 10.00 MB MD5: 93eff481a09d4743c4672188709ec76a
SHA1: 484a1b7a9096b48e9535fde293abda11f4845dd8
SHA256: 118d6d609e83e7e53c91c8d330d36d6031a48861577d150c83e9469bd05ee1c3
SSDeep: 196608:VyqECAMrm/WyvONqviB7JzEShAmGmuHUeTLrbhN8+TEhJ9WuOKlj9vQy267V:VyrCAvfYlEKAmIXhNm3bYy26R 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\300.RYK 0.41 KB MD5: 763e562185d7c950e6617074577d3b95
SHA1: 5de138ae8292333d5260e6a62ab84052c62fa512
SHA256: 5692c6faa62cd0425ee575f58abd36b62569504c326760e8643cab015eadd704
SSDeep: 12:A7P4VJWC4qN4yTY4Yz+xUYOpE785KnPEu5RKydpn:2zqN4L4YzfpE78YE8g+p 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access 2016.lnk.RYK 2.64 KB MD5: af51e5c3923d9dfdaa409c2049dd09a6
SHA1: 822328de07965db94a1ad38b63602c0d6a8ad34b
SHA256: 7566c90f9c5813731bd755cf31fac034234090f1f501675f3c3402c8284baace
SSDeep: 48:erAKwc/gwGg9JZPmDuLyq4vH/kvjCknr0VysZxO29+d56LnvnbQFlQ:erAvuJZuDuLyq4fabr0V7x3i1K 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.006.etl.RYK 16.28 KB MD5: 250ebbb180089ffe82a7d8d8332e1393
SHA1: e53687e5f9f16eacc718400d6c68679a60b50e0c
SHA256: a904f9e3309e8a0b79aaf49f54edba3d9a2d2463e50034918061ed0b1bad7792
SSDeep: 384:pjQhjDEBNY0OMM/GoOb5vHoa9bfXf23WXUq54HtZAN0/O:pjQhjDEBNYR/cdIKfZ4NZANb 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\09\287.RYK 0.41 KB MD5: bebf2e1d1628deeb22e503fd69220559
SHA1: 1826de8c220a6ca570af750007398f483fa6d562
SHA256: 9a0230141548f028833273c11743239c2cb009607f1670aa149a472d62bcacfc
SSDeep: 6:y4Dok4SjvGAtQWzAQ62W/1p3P1lAoiqzMOGwF/RBFCgtAnnUEVQRH8rxcMh6Y:KkJuAtvEn2WL3PLNiqIO9ttQcH8uMhz 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Search.lnk.RYK 1.83 KB MD5: 724ca372ad76045d8eb691d86a572f7a
SHA1: 0ff2396fb1e061644f4513e1ae372b108440e1ac
SHA256: cb1d21ab8b7cc44734050cd0b31da71d38e9895ef0ab57ce6f8e4e458c3c3bbc
SSDeep: 48:12A83U+By1+g7DzVW4UscZVidXGXNMin2VDys9+E:YA83ULH7c4U8dX4cDyK+E 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\3\0000000000000000.idx.RYK 0.36 KB MD5: a1d1fafaec278573ecc7f9cc093355b4
SHA1: 0af3aad604c45d2cf92fe536b961979893ff36b2
SHA256: 2b316436037a037682cf785efa40c873d0239b6507569a1d27117e62a0b07ed0
SSDeep: 6:/qmphipA8rswauva8eBhqePTcLXxM3wK726aOnOKZ4mKGQ0poeR7jRp:CiYfaga7qeLcLqwqJaIF4j0mU7tp 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-40.png.RYK 0.71 KB MD5: ba4412afe06b8bbc5711659b477cbabc
SHA1: 2e098b05d53c4f7c6955c7abe1fb0370bc611689
SHA256: 74c8c637b42ec53b4f4c4f5a3e4ab7104808fa7ca1be1873ae0fcc278daed0de
SSDeep: 12:OnNP4gi4SQ4paBomdWlLdMEBalFtOKopOTa1QQtq2XoPC3jiqzev+DXdVQm9jGgT:Iggi44pa/MgtOKcS2YC3xzfRjGI 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.png.RYK 5.55 KB MD5: 2193c8a35256f069edd30c168f882211
SHA1: b585205867c7bc5a86c26011b6f7fe7d3dbe5d31
SHA256: a2d0f37cba94fde01e8db6f5a453f8fe425aac9e82311d2ba943b180c75a4682
SSDeep: 96:HDTpWv9kY8+mF9cS2DSB0/CnrhBhspmMuVJJl2GgNkIbXOltkTZhTYHmFFuxa085:HDTpWKYX1c0/CrhBhz5VJJyuIbefy+HC 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PrintDialog.lnk.RYK 2.42 KB MD5: 723a04b937a22ae937a4f92788dd5f88
SHA1: 969ec4dc06a785629c3307bd88b884c9acec1473
SHA256: 5efeb4844f7cc8a9b18af6a23682b0413c3a7ed949a6818e5a73ac56328509ca
SSDeep: 48:36qnNaULR1PZ3tw216vLE4FHLvsRsvB0IYIk+4l6dPIXvYrkJ/Af:36qn4cfRcvA4FHDskBhkJgQfx2f 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\10\267.RYK 0.41 KB MD5: 2a0f1f959acd44c21da32738675d22b5
SHA1: 8502d47a433b993e4e1f4a37329c9ea4b448e1ea
SHA256: 29c12ccc1e8de10cd97f8b15258406345315228ac4625b2fd784d5b0b9b37ba3
SSDeep: 6:zxlgbSX3xtuIuWEGFDG8wsG6RS3ob+AXUomCDGUf9gXpPKHOolD7wv3Oecx7hDBi:EGuIuWEGhFb+AXHyUf9ghKHOIQcxdDUD 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk.RYK 1.60 KB MD5: b4e7af78e4ed074999348fca4d337ab8
SHA1: 43662accdead9d3602c6ffe8c37d4ab0d37cbc45
SHA256: d1bd1c9e94e56824362ed879fb1c0a2e8ca7e01c6e61c19abc3780bdbf947072
SSDeep: 48:e4ml51gPb6jjZXUxeVahWm8i3ytuWNSOv7Neh2+k:eQ4jZXseMj3cuMDokX 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\11\200.RYK 0.41 KB MD5: 7f87e4922997c836ab1244fe624a6a62
SHA1: 66c115f1ea6131e52bce53fc8f739f51ddc5bbc7
SHA256: 29e521d1118f16937511bc9fbe45837617bd72035ae2e7c84b3fb049de726c38
SSDeep: 12:kct09ErWal7qB8eDmJk1M7fKjg9q140vToLG:kct0ardlG+eDyk1eCkIv0LG 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\262.RYK 0.41 KB MD5: 94475675123c38ce9934303399dfefd7
SHA1: b8b7e075c5d84c75eab1297caa70f5d19eb8076e
SHA256: 3d1d4aecb1c203d24866df4dd5f1d0956feafdd74aff4fb1fc1696b51ef34bc7
SSDeep: 12:ii2/FpsX2v9HVY+h5xtHgq26soDDl0deidYyW:ii2bsXElJh5Apw1IevN 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\MiracastView.lnk.RYK 2.44 KB MD5: 5ccc40f290651d1865a9d02955d6d0fd
SHA1: 045e8bbef6c11998f288f281c1352859419e32c4
SHA256: d84723f1a20239f4a3a68b3a304adb5f8b7017ad11b20011c5cab81fe60af3ef
SSDeep: 48:+bNpq/4uFVjajrzBMMXSKg6bW4l0CvWfyHDasLwIDrofPm:+bcLjajnukSeWCxH2sLwxe 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\07\273.RYK 0.41 KB MD5: 5530a64c30830d98d35e9eafeceee7b6
SHA1: 9a3ccbda84a1e2f8076acf442becb60e26265c1e
SHA256: 8db75ff8302ff2095282cf393303be331210dad618c6780a415f7adfbddee9b5
SSDeep: 12:DrKuhj9mbkrE1Zsyh911EN1QNRXWUvpkD:HUbKyh9/EN8Xbvp8 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Live\WLive48x48.png.RYK 4.83 KB MD5: 0c878f7b49de064c61e106fa9c137194
SHA1: c65063ff0ae4a96250dd107240531e48b8af8434
SHA256: 153d9fa7dc952761d9017f2ebf77dfcf139f84ffabbf2bada54c39368f871b17
SSDeep: 96:lftq/a/iLj9Cr5pcRm7MyG+qQV6WrgyGcD+dJnWTzwrfviLdxdqpgWw7m5PYp8WI:lftGa/iNCgmM+p/rgyG8VPGCLLdmw7sL 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.004.etl.RYK 16.28 KB MD5: 4d8c899811ea2400e64d76deaff4ddd3
SHA1: d0318ff2d2a639f5ab8ceeff71de9d969b12e4ba
SHA256: 13a3db2c9780179665950d246f31cdae400851fef4ecd93b0aca965029a8549a
SSDeep: 384:bp0myvWxnvePLdY+rRC+TbiHD8za9POaB3AUsyp/PFJRPtmRf:V0mkWlvtG93byPO9UsyNFJRoN 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.2.xml.RYK 1.63 KB MD5: fd3d26974a83fa734af50c7d40cc2718
SHA1: 28021111e6df20a673a3c960f0c766a21beb9027
SHA256: b160f7a2ac03d9d59320db9bafb71984ee0188b1e959cd0f4ef6a215aee0024f
SSDeep: 24:hdyCy1etQ2eBehyuExuN6rehaLqZMc3TvSNVIF9CgiRcS1DHVUyakSipv/glq3:LDGeheBgEoN6DEv5f4RBDHVNaQ5glq3 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\10\197.RYK 0.41 KB MD5: 038736e5c6e549a00e1d347541035313
SHA1: cb8c6eeab07195c5d5d2b4dbe528f5c29b7e9cd3
SHA256: 7172c5d5d8b370b7927e28661a64d43640d5f31fba4a012b47ae43b397cb7e1f
SSDeep: 6:eT9ouBd8EyZncoHHjRSu7R2JPPiQiP6eDQ3OAUNiROlBJDBxRSUeq9ZQLZC+mhn:eTZBdNy5c6rQg6eDQ3GNnJNnSzQ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini.RYK 0.55 KB MD5: 458298eb43d8ba28c0ae9699aeca87ee
SHA1: ef7896f15ff4321bfa9ac5d58a53bc1cf4aa9b22
SHA256: a5a5906aefd51bc3bda0f034ffbb6a123c48071329207676d44bedd715b761d2
SSDeep: 12:7kPv+WfW8jiYiAUaaOvRLDm7HNdeF+sc/ll03Ygxn/fw9TKUvW:YzWwiYgalRLy7tdeQscdlp0Q9TKyW 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Desktop.lnk.RYK 1.11 KB MD5: 415c401c53beb61736eda7c6b6d2e589
SHA1: fb2fc93c3ea438cf45f431fd8d84f85aa6b5d1ec
SHA256: b91e2f649b170bdc561f55d30c2e11f8eca6881504c6cf17b878b32606dbaeb1
SSDeep: 24:NMoDGfnWYH8xcCpbv413GH7b2KzR7KK9V3+7QKU0SlrTG0CLi:NVGuYH8xFpbv41Gv2gRxV3+7fXSJilu 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.019.etl.RYK 4.28 KB MD5: b94f28f6d32fc5eb0c17e728eb1227fa
SHA1: c095133b18c470e8556376f3ca085d4b18bdb427
SHA256: 0cad2ffbde50b5a9117bb7236123a94d64af6c4f6ed1e4eae4c3cd47871f9931
SSDeep: 96:MkE5By/Jtpjd9mAmfoMqP+Uhp26TejO5bGu7eR24aGiO07c7zQRQ5ldXeta:MqpRoVqWUhp26TejOVaQ4rVcczrNz 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word.lnk.RYK 2.67 KB MD5: b013a840466204c19bb128b3cb5bb252
SHA1: a1333d1353c90429087a8a6b64de821389d89d83
SHA256: e3471fdc4b6fd03269e7c3a5bbf42a7d55d6c0c7e82eb6bb28ecbec0b977e100
SSDeep: 48:LN4pwh/eOGXcUw7K3QGC5SLw9sgC46YmCtvqrP1sG2P+vexAs3WTwH2NK:Rcw1e+UwuQGCjZNtvCP+GHWFWc1 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-48.png.RYK 0.77 KB MD5: 130b78cb1a1a0c495e642ad0fb3bcbd5
SHA1: 930a901db07b0518f044211b8de447a016bef63a
SHA256: 469b00ba1fb47543410ae7301ab6aea1c037f2a3d6cdfbe9d5d2b2cfbe926e3f
SSDeep: 12:Xc3oy4k5a1dDeJ6jrRjMRbgT+SZmNCPQ5IrCkiLn665HeM/6Cxn:Xch4RDlxVVIN9fki7heUxn 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\14\9664.RYK 0.41 KB MD5: 65bfcc399f84b89ecd04dad4f64297cd
SHA1: 92145c3b6743baed2b56c4bc28d894de2dbbbf7b
SHA256: e6a3abcb7d0e8348d5ae6aadd3decd9c1146d9fef8f2f99fde519e1b4311f4a0
SSDeep: 12:46jYa1wQS1UE/fk6UUrF5fjgIej8hti//v7GkLWB:4uwSEU6xrLfjejMIXv7vO 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Immersive Control Panel.lnk.RYK 2.56 KB MD5: 681badab6457c9d167a97f6239acc443
SHA1: 7ec5b7eeb0a68b5066e1d7fe0d5bad67b7c2deab
SHA256: 6dc61a6e8af41938aabdd9173ff7e10a82b469accecc23a1510d0b7f3605ce63
SSDeep: 48:pKG97+wgofEYJtLQVGHEJ2JvrW7ZO3IfaoPgcqTA03hW7SHaEcC0qAgF:JhlgiEY/QskGW7Z0iaogWjEcC0rgF 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Visit Java.com.url.RYK 0.46 KB MD5: 1b20a6b23cf36640858d1460c9c1871f
SHA1: b98b6996933f6d825054d8caa97ecc007b9f6258
SHA256: 6b6adf2ee4432dcb924c364b70defc61b392202cdbeb4c7f08436246c1434fe1
SSDeep: 6:WXaYvG+px8nkqwF6bvlnmVJXJ82gZyVDTVfZj3kQdRk6tH9zOYmjAaDBySge3jAL:KafexYk+mD5xD7Zj3ZXH9zOXAsySvC8u 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\272.RYK 0.41 KB MD5: b3bd34768ee58a519330f77cbaa29c59
SHA1: 0a7c81969cbdcb4aed5d2862f70d13cf4534c6c4
SHA256: 9437531ee0799185eafe04155c3e96dceaab6f31860e918bd05442ba98dd2801
SSDeep: 12:psNoqw8vQ9kri1LIO3PWSH/xoRdE8gLJn:iNdw8qx1M4VORdEfLJ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\dfrgui.lnk.RYK 1.41 KB MD5: fc39a0b01d2ac1ce027b772d0099fad2
SHA1: ca2dec6f87e10bb7ac67875a4c131d121224dac2
SHA256: feed7808ea5f7129487a69e56041f36ba1c130943a7ebc656ffd8babdc1088fe
SSDeep: 24:pjPEDH9R/yF0LfAuS/3conSdCf7rv5t/wSX1Ci4as9BEBeMajggWqthDLAZeQAUH:hPEhRnzA53SQfZt/wSX1m8gMaj1PthAx 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini.RYK 0.44 KB MD5: 5c00961b9ec206e12bc354b01dfa5a2a
SHA1: dbe7965998592fc30f7433c1cccfbdeacde736dc
SHA256: 79c75968757b514be281a6aba8dafbd0022b98b234166d0d7eeabd6ea92bc703
SSDeep: 12:xvpr7uHp26dMkYCcxkkYVpyNniHZLDblQyo2CKrwi:xvsHM6dMkY3kDVps6Z7lQn2lrwi 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\328.RYK 0.41 KB MD5: 1db822b509e0bbe49c5e57aae6c05399
SHA1: b47825419052d54d8b433ac8ef19caea0e59d407
SHA256: 1b1fc793f3cd2de498d5a479a9c37537b07a98357c7327915a71d4986321c8ff
SSDeep: 6:BMf57XBA2vu8l3L3cmRYU7JuZhN21iu8GPTehQ1vKWecJ7x3oRQ6H3ao3kExF/dv:BMf57hvJLtYUo9sehmbx3N6HgkdUDi 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107002.RYK 0.41 KB MD5: 3ef479721175622e55953e0ea80e15cc
SHA1: 825de57d188ef85dcd55f1214ac290be73f0e701
SHA256: 92bf63531a80333e20912a5b186d4c43151e6dfb27066437efb57170e39f9d14
SSDeep: 12:a4TCdIlhczbPcU7avtyazAfNUF/yetz1bnDPsmdrnOnUTN1G:xgbPn+1Rbz5DPsmdrnFZM 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\199.RYK 0.41 KB MD5: 05305617a2e228f5c8b254e3f62e3c6b
SHA1: 6431cc4dbca7f373c339da50eaced82e03c0897c
SHA256: 3e187699dc835b695a842e02501fb509647ac7c586880ba4fb6ac448cccb5b88
SSDeep: 12:SUJnWgzk4eJ/Up4pRY8JOAbL+BE9qH0ny8SXSn:SMWsIRY8Jjfb980y2 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\1\0000000000000000.idx.RYK 0.36 KB MD5: e5f4cf3e79db54c833e5d1f44bdd64e9
SHA1: ea9910f9b5a3fbf113aed08268dbffcb836882bd
SHA256: 37630ca38fd66850fbfcb3ae54d87ffd598136402fce946ab2e8a234ae13fbc2
SSDeep: 6:CRRxnAFyvFHwRK7YSPHvmd4cpAZfkIDlLH99cbXjxBPd+T6AaHpSCTxDOKI:Qxn9kK7HWRpAZcI5dW/j/FrI 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini.RYK 0.64 KB MD5: 8d3e365a68a9dfdb44e09d78524f36f0
SHA1: f1b0362cf559ef383441a8d032300d1fc3a8681b
SHA256: 6cce7cb4a80823bc98c49c27761a96ac09cb254752b061f61a4274d52b070c74
SSDeep: 12:ML1i8Z5jMXFyFmdo2kGvv7ggDs3Bm5B6z/bfnxQZBpykw:25jMXsFV2kYjJQoqznCB0kw 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.015.etl.RYK 16.28 KB MD5: 08cd920090ae26a8a1ef6e221804ddb6
SHA1: 15d26cc4a8bb4cf62bb015904602498d554514c7
SHA256: 96d51f0e025902114afe0287911259973386b6bb07cd911a1a1ad8af5fcd9644
SSDeep: 384:7kB6XsUnOP7DXXdI0AYsWabhn5SKBQLnLxvHU:7kBR8ODTNIwun5SKBQhc 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher.lnk.RYK 2.63 KB MD5: f21706445fa097fb850c8feb6211e4f3
SHA1: 1f10de46b9a025bc1f2463d351647eb18d7b2933
SHA256: 91a72e360549216d7523754e47ab4a52859b9566d5f4fd4077a6d3af06602ac3
SSDeep: 48:REadGV8lSOQjuS2eolr5XrLt6fFGkQHCw6xiK+POyZ98ZJ3DUt7/Dj:qafo7juJLH7Lt6fAcxi5PV98/IJDj 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Snipping Tool.lnk.RYK 1.38 KB MD5: 3da139dc1bf89589612bca83a5768faa
SHA1: 4fca3d6582ba1d3887df8d4a4fdcb59c07b2a74e
SHA256: a1729cfaf9935ae9916522a730b2e8fe9890bf0901d4037939572e5ca9f66d6a
SSDeep: 24:oFdYhQvvCJjh8HIeDoAHHQzjy0uXhyzjyCc3w/+erbUT9sZakjVf+fMdUd:oQhQHCnSIEHge8/rBbUTyoG+d 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.1.xml.RYK 2.21 KB MD5: 9407fde948e785b159acefbdf9bafd0f
SHA1: 7c8827316422b448b27b9d72562314dda44a406b
SHA256: 3e8a7d1ca8f1bda7717ba6d388811d2a2d504e2ef8e5b8cf1f218ee6e5f02c13
SSDeep: 48:0lsrAp7MhfBF0lpvrax25j7UJu7Fh+8JMVPMIvamCi:Oj7MhfT2JV/+nPM7mCi 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business.lnk.RYK 2.67 KB MD5: b9b931dc8944e691a7510afc9bd858bb
SHA1: b8d38a1b2ec8adf73a351354690437a34c8e2732
SHA256: c3f93dfaad54df5902ce4ae44b12fce33441bd52fa6476f8ee5e939362f30ecb
SSDeep: 48:aS9JFvKfYFbZYc2TAjkyZ2NxcLtaroeNSu4BoHRt/sMkAKT:HovcskoYpazt4Cn0B 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Paint.lnk.RYK 1.36 KB MD5: 3f244932296693630baace9f5d47cb23
SHA1: 13de4ed150a68e5fca401dad2dc19218ed2afdc5
SHA256: 39da025a90a13e13e7de0ffd8c42d530548bd6e13bfe7dc2cb98279f192aba92
SSDeep: 24:kEv0qr8nqXvLCc32Z1zvLvP0k65JH69bi3ZiytBOqRSJZEp:37InqXR3i1zvokkH6YPVp 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini.RYK 0.72 KB MD5: 0a2f700037d9f8fff3c573b4b8e641fa
SHA1: 02d82743f73d21d219cb5f85c1148d9e6fbfce21
SHA256: 4c90df74def91154eeb70a2122c4a5aecc946cc999b4dc78546a62eecaf53118
SSDeep: 12:e5rDarKKlxDaS38vaSwgcSGTiBQ2W9Tku5l+C9XXF1POKYQJcYpvGPGWQWmwCDLn:eAeKlx2SsygGTi2k2wQzPmQJjEQt3DLn 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.008.etl.RYK 16.28 KB MD5: 86158940cd7e8c0122122a8b6235cec3
SHA1: 270ad42d2484a1d534dd5bc7850ee7c7ba2a9e48
SHA256: 354dc8bba9c8a43f94a53046d4918186fcebc0d180a7bad6100df3c528fe2701
SSDeep: 384:uez7XBfUmZTqu1cewfdnwACTCsJWIy3FJD9I/ABntYzHdTZlCDN:RHXd7ptcNf9wRCUy3LDK/AFWnCh 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\271.RYK 0.41 KB MD5: e4387a18f7a4e6bc3e6be3bd94b1c1e5
SHA1: 869de5a88a5b1462074b7342d2662a6451d2ccb0
SHA256: eb744f483b3f0bb688e3920b1743c1f68c9d1efe0af2dacc66c9f60c3feb3325
SSDeep: 12:gvUyax7edcyfpTDz3Dr8BFfxT+wQ+g8uc4:gMyax1yRr4f+Ouc4 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.016.etl.RYK 16.28 KB MD5: 47a176790ae8314a49ac659f0a4d73c8
SHA1: ace62e3d6ff3be7c615a71b9f7df0be36bceb60e
SHA256: f328506738183e312da5242cdd1fcae9590f579c5f3fc79e9d396bc8a7e22692
SSDeep: 384:tLxrKh8UvpTBbD+MVI6QGLpuGugujTC1z2SGNW:Qhtp4GoGuHS/d 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\00\192.RYK 0.41 KB MD5: f2daebf1b1a8402c9fadb8650bcae201
SHA1: ec05a739f4f9bc9fe1ae328bbc929afadebe777c
SHA256: 8ee8b5401974afb7756a42d766850cb15a3e51487712c333fdb027019be97c68
SSDeep: 6:UGBuv+RsvKw6LFPAqXhLSOVXI3Tw4wPPTbxzSvaXbO3O6Qw1eAO0yHSAjIyBTd4S:JhAr6R3hLfXI3TwBzrQ0w1e90VEOgV 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Default Programs.lnk.RYK 1.50 KB MD5: cd3966e781e4e76442632218f555b8e8
SHA1: 1d56693e799a4dfdc04429d3968db3e04b602524
SHA256: 14bf7d93d54578ece784b399bbcb171876b7af5d6fab24d76d6c7f6fe6979203
SSDeep: 24:8aV52CUTY3dOjvbNDs0mzNZ/+U7f5iNS55TKrugyKv99GAbqZSBrRf15B3/m:ZWqdm8zNF7xyuPJg99GNSBdX0 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\196.RYK 0.41 KB MD5: ed17bb464e1545aade3cf96084b65514
SHA1: 4a24970913ae6dd25afa04b2129eb4432a38a888
SHA256: aedb4b79832c18859cde08b1d282212401d5047a9fa2823cc484340057b8894e
SSDeep: 6:8kQyuaox1EOuyO0KgO5N5bVwmhG7CN4HNkVTS5eXGnUB7BH+8+eaCz4eT9tFR38:83a+iyI/r6tMSAXGnY7Bjlapepts 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\services.lnk.RYK 1.41 KB MD5: a9b56eacabcb51710ecae7312085b558
SHA1: 56b83d7666f6976325e18d9068a19789fa520ac3
SHA256: 70d446f374f75589b2423b06dadc22ebbe68c91271a13723c25e910fbe276e64
SSDeep: 24:v5g0GZxW0vuPy+3I4hPXapCbWziNDTVpxm8dUe3L54jV42u62xU7n2Wx:v6Zx9ZKI2QsciNHVPfdZAVLUQnh 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp.RYK 10.00 MB MD5: 67b48049beda10ad696e396fef39d950
SHA1: 466a715a1de5dacb24e443458f0ab5d385a7ea5c
SHA256: 54b82ab40de4ee022d1a67eb445edd900bca0db3861886170d9006947496e008
SSDeep: 196608:gRB/okUOs3EAel2YxWCqoM4ffR/uRVr8E7ejFul:gRB7daTCqSIGS 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneNote 2016.lnk.RYK 2.61 KB MD5: 606d9eae079666f684b6a831d0cd4587
SHA1: 4b7ce3719cc26643d92970422e4e17a66e2e6db3
SHA256: 62dddfbb666dfd9546657bf8117bd9a8463898725e38e457ceb7f2ca62c92555
SSDeep: 48:RUVPnCJskIsh+MIj1KK1oIdsapcTw1j//XLY1KO9lInY47eVJp47Yh1KbNGWW:RUVqSk9hyNoWcTu29lIYseVI7SKbMWW 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\266.RYK 0.41 KB MD5: 27375307c83c8ec8b5ffa438309f5e5f
SHA1: 5a8407ff336a66dfbccca4955f43f4d4e48719ea
SHA256: 785de662f63456fc1871a1f565342896fb0dc7e1bb73cbf97258689c1aadae60
SSDeep: 12:8z3teXxrf3BPUCbkg8Gi4NRpmB03+yGtV2/oViU:8C3UCbfi67mKgthkU 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateUx.001.etl.RYK 4.28 KB MD5: f6b31d51048fed7ba59160a38d5e07e6
SHA1: 7b12ae7962727df8dc36db1939cf4500637f4342
SHA256: bd8b9742622f1d455a8175361be62d5e651e894e989589da1c39a6dbf1bb411d
SSDeep: 96:wJ+rbeG7NnrU2esTbEE08bpfBsfC4zdNcYC6LglZvTL:wJ+PemnrU2/dIRZNPLAZ3 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\13719.RYK 0.41 KB MD5: 16629377b5a94cdd9b3d98f037602052
SHA1: a9295a2d8bbf3457b89b4a3212453c76e9a85bbe
SHA256: c0c667575364bf1358461875701582b6ade8262273b7c26f1e949527df415bae
SSDeep: 12:ZRt9j079DuS2C8T11cp5TqUZXVj0GFHpvB1sIXmtY6AK:vtm7AC8hy/TPoGHpvDIll 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.png.RYK 5.55 KB MD5: dc9d598ac7d385a1fbe0745d28b10d61
SHA1: c26524eb0d47124b922d4be871be1bf009940559
SHA256: 2b9af43c29a46b9f18639d6eea67f19421f9ea7ba52b5fd66d1ae8b5afa2e8f3
SSDeep: 96:ZPnmsSCRAjO+QvtkX/93WX6i6tVaAA+9diVXjdpoDcIi0+PzAJTMAQZH1:ZPmsSCL+0tkX/TVDAssdi4IiZkqn1 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business 2016.lnk.RYK 2.67 KB MD5: dadcab4f2d62aa7dee9c6233bc3f2d7d
SHA1: 56b52f6528f03d00c9edb5818d349bd83fefff45
SHA256: 9e80b0b02bf184f8bd6bddd7ec897b0f90e37c8c5e74f42be53fe59164d934e2
SSDeep: 48:0wt2NEgBpV7J1DHhP6Ps+lai3ofCXmDlylni5T9sa6J+hY9Kv+g4atH+T:0k2NpptJ1DBPAN3o1RB6J+hiKvRDH+T 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.011.etl.RYK 16.28 KB MD5: 15e51f38bb0b0f6f0ca4875de80557bf
SHA1: bd722b2bacf6e097889247e3d6fb478706aa4821
SHA256: b8df085680a67c24fe3064d71e51006c3bd496ebc60f74bfc20b9822bae75dd4
SSDeep: 384:dXevRGlbjc5Ft1qm1kIw/3EX4BQ5oO0n4XTfeENPuajfK3t9w8gr2U5uE/wj:iRGlbI5Ftcm12/AcQ5RNPuqK3t9lvQud 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol.RYK 0.71 KB MD5: ba64bdfddad8bf4721be2dc57fb77de0
SHA1: 1632cb63d65b095f74c1670484a7c026200f174e
SHA256: 4bf14efd5818d594c0f88a4ee9da20a8a54b471a6a9fcb3f45632a6ba1330d53
SSDeep: 12:gTJTVMeaPQzbgv9Q6020kIsj6rqmn/YVst9QXF5SdMQSzfIIvfWndrO2:gVTVWPoa30P66rqxVPXF2SvfAJf 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\13\278.RYK 0.41 KB MD5: 3b7279680dd7a38b4bfcca2d70e7a812
SHA1: d82b3d5f831add1a7d203be79e46c3936df2bf7e
SHA256: c837b1e0372246de6629150b345661b6d06fe8a65f73bc962c55e7e541dc98fd
SSDeep: 12:uBCvzAVfoeyHLtyfwVNQPqTLFuZ5HiRgGMv:FvzAanZx0PyiYZY 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.020.etl.RYK 8.28 KB MD5: bc043d2fccc190d2d5c40efb060ee89d
SHA1: e81b38709f1b60e2e6f7a994afb90b2ccb94abac
SHA256: da16e527e3633b6d6002454d115d6fa4d987d156a873b97c1b6d2f890825a3f9
SSDeep: 192:dwAiKg5tZoTN4fnExA2Ll12/o1vs2SZhiv:dE5DoG8532/WvsbZhM 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Steps Recorder.lnk.RYK 1.35 KB MD5: e2d8cf8a721eda3bbdc113e83015b6ae
SHA1: e8150d86de41d794e49366d8aa8eb897e37cbaa4
SHA256: 0282e9d247eaf1021f9324e1cfb84c4ebe24ae238395556bb87b5faff136ae42
SSDeep: 24:ZHKGIfEg8pAwq7RuZdfOt7ZT62nWHdgcM1FYqJgJ54lJ40vKRrQ:lKGIf/6q7RuZdfOt7ZWHdM16qJoUJ40F 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\12\194.RYK 0.41 KB MD5: d1829709b2a4ca0746b5d8a5605360b0
SHA1: e54ef11845a1c45d8eea455070e275d37b241a90
SHA256: f53b785d1f9fbabd842eda7614949db17b478235ce4bb3f077b774b7e99a4f8e
SSDeep: 6:9a5/GEjpDYMGz1YBsV6UaZCD1LK0VE93DEeeybyA+grIvB81gc/rMZb66CyBiB7N:45uwDYpJPaMRO0VE9z1V0gFKD2FxwW 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini.RYK 1.27 KB MD5: 2537892918d7199c5da36c1080ba8156
SHA1: 595c192d66e4bd333fee720c1301bd4dff1baed0
SHA256: b25cd65acde02d8cfbb3c57d69fe7da963d5807138b6fbf808580d31daf4d8bc
SSDeep: 24:F8DrxCyEX3f1DKj16VP4umufSMhgicfcqdlJiK+ojqcI8pQzx:mDrxpEXahqRhbMcqdlMKbj28pcx 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel 2016.lnk.RYK 2.64 KB MD5: 941435c209d1b2ce23836922fbf47ef5
SHA1: b9f9dd8f20bc6febeff1f0c89216ee61aadc24ef
SHA256: 884cf1584b538e350a5ad025ec584bc77cecc569a65b31a37bf0178391e60504
SSDeep: 48:RWDHoQEXbJIeWaqAjV/RSh0RceJbbDrX67dWyuAzhWyPfVj2vmW++9YRtzq17a4L:aHojXkojV/RFJP6zuAEy3Vj2vmW14zqT 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\02\303.RYK 0.44 KB MD5: 901ce2745769f7d463250004ada87611
SHA1: 61567b2d05b770be674fbba0a1e51d9190b09387
SHA256: 21888eafef2ee35dc4f7a4006c7d2ea42d5dd84e7a210b0e9017455a4eb2b24c
SSDeep: 6:mw/WlGntjCDnZz1VSaZJ/irSlL9pR4SDYujyWSZjqbz26n+fGdQab+eB7Yk+Vjpf:mECdz1oKkELlDFjyVZ5GtJV8BFPiiB 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\13712.RYK 0.41 KB MD5: a408a70a5d84c5d1775cf8ece49659cd
SHA1: 761936a12d8240187cb06a5c7a596e978ad897d4
SHA256: 15ecaf804ae42095f5479def1db9f9c93d48729b8fea7b8a57faf3898827f842
SSDeep: 6:iGJ9d+Dy7SAHRhJBeMUKLCyC3cSLB5sur6bDvrOEit85Gh0Ds+dXL6tD7EPIIeAA:L9dcyXJ7L+cS1yTbnXimchqWvDAohr 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Pending.GRL.RYK 14.89 KB MD5: 4166a57d648b1ae6d93819ec7fcee4b3
SHA1: 20ac87c46d47750973eed98138cdc10a0e20b9d8
SHA256: 29d9f584cd15b229543fd2b520fdcee4aa5a4f019f69404f5a102e1bbb50f381
SSDeep: 384:BSDeLMjt3p3lpZsIwjm+msafWMCe9H/TgeQG:BSyIZLpuIya+MTRTUG 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Visio 2016.lnk.RYK 2.67 KB MD5: b7be268e438942f1279a58ad96ca07a9
SHA1: 438b5da31a715de40197606bb1f50609e98eb439
SHA256: 9a1126a79526c97299abd89ad22a17c5bf3d6fca541f8da1bb075b0d8ee7c412
SSDeep: 48:jGrvctbfhF4rOsyeKmLUU/KfJlY8Jd5vsY2a9hV/UAAgnoEaP:jgv8bZFzeKmLUU/Kfk8Jd5vskT8AAhEY 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini.RYK 0.64 KB MD5: 6e7ba2db7c4808a0a3b1ad8c91efa697
SHA1: 3f9d82a54cb8e4b7fdbd2de5d97073f68b28abd9
SHA256: aae9463e92bded0f9cbb98f8793215459f8a9dd9b2484563348157d36fc664c9
SSDeep: 12:EoCLD553ZI/QZH1cLRxT+FzgXaadXLGWTrcmUZhK1MkwBeFvMZTP2/o3YPn+gqdd:EoCDjpIIZePwcD5Ic1M3wQ1DPn6W 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.001.etl.RYK 16.28 KB MD5: 074708ca4ffeac99b6d215fc149c2e8f
SHA1: dfa6daaa8286e24f8b99cf8842b7862e4ad00c67
SHA256: 1230a5659c9f3dc00daef3d86806526dbeef1c5a31cacfdd914fcc13eda29019
SSDeep: 384:LLqsUZ6Y3/hZvu62rIxCN+DlthSeCq31g0ikJr4ron:asLcPv928xkqltopOg10V 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.003.etl.RYK 16.28 KB MD5: 6d0a9983a7cdf21f9dd78e820c5b3399
SHA1: 888d466efed748d160b61647ad126781d3130ab4
SHA256: 99fee1f76ee55272a24605715428a6e3b78ac5a969e695c484d104387f0128be
SSDeep: 384:QRPAZVycdrj+d/Vps5QfqRaeFyump//2S+ouLgnwKobwzkhFb+:QR4ZVvrj+KWC89rN1obOO+ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint 2016.lnk.RYK 2.67 KB MD5: fb16b0d4acc55850b0b577f266e77bdb
SHA1: a26e769058b0eff1274f3455832ddeb3d21dc605
SHA256: 200a55dabd137bbbc64d3b4b070b547fad2ae0dcbf53548ffd60391cbbb8935a
SSDeep: 48:t7LyzxrxMxodnI5uAhryU53VugN4PKfRsLY4DFXzW3tdN4OnsPhXS7cUbPMQ1zGt:tXmxrTnI5uAhryU5sgNq4aE4DFwXiOn8 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.012.etl.RYK 16.28 KB MD5: 4efc3f631fa0dd5b733e55c72b61682e
SHA1: f5c9e94c477f3b73f797b57c3ecd5ff91c5dc6a1
SHA256: 7fd7d67b9956145ad4ab5c8a194271bc1e9fd30ad4d9a80f3fc1f8fc7916259e
SSDeep: 384:iBV5lO00Z1nxNs4vS7MQk/ROAv0R6HBQVJE+m3SttYgyj:QVrOflxNMfkZOAv0R6aTm3S0P 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedScenarios\Windows.Uif.static.RYK 2.83 KB MD5: d95dbdc7b04017dac69277df7bcb6934
SHA1: 0063c40724000b62c0b42b8996f65cc53706366f
SHA256: ae40988eec27609522db4088af525cdae1a210ac33911c73a82e1af9b83c4d5d
SSDeep: 48:vCQZveDNsmHbULbKZEJSkVCSxPRxLdz/jYPJbgaAw8g8nQVmmuaEQlVmS+dwF7m:vpRWmmQLiEJrVCSNrdzbYxb1A0cMm7aS 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Project 2016.lnk.RYK 2.69 KB MD5: fba191943805071e529d043c5c9598ac
SHA1: cec304f4e94b4c1821d2aa5408b191ed8bdb55d3
SHA256: 1dae1e5f9ac0da32b2999d7e273056c3cb2877485904b27c224dc480b8320b94
SSDeep: 48:qVA+yvxqI1bbFJOMQdLuJEUqXLgHY8lA3i7ZUVBQpPdTLTrfYGDX7a9O:VxqI1bJYM2y4gHYsZUV2pVf/Y+UO 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Configure Java.lnk.RYK 2.30 KB MD5: ce96b3a4304ca2f0f3e7ca2fb06f7d7f
SHA1: 6f25ebd533de94dc550850ed2a7d1c8b73123a36
SHA256: 1c97619b06a54681c47c6ce1940f592d1cd97fda12cf6700a650b23b4af8bb8c
SSDeep: 48:X8KaI1dboEpeZXOk7Ef6CTS0HlGj6e6u3nNXOARVCzYSz1zSP2h6FnD:I2q8eZXOk46CGAGjn64nsQUUSpzAhN 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher 2016.lnk.RYK 2.63 KB MD5: 2f467b4825348af8c098b49ae54fac18
SHA1: 5209fae69711fb4d28ba013feea0bc19ddbf36b5
SHA256: c7cba9d2b589203763fd354736c9b95abc6b9d5ea5d30d05ef7d0d710bf17bc5
SSDeep: 48:XVuGOhfjw+/I+qDVnxqVV5cjM9IrlfRg1o7dVsiWzcjSV8O265SfmZ17I4C3bUfp:XVWfjw+J+BkV5clrlaM3JOOO265SfmZr 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.013.etl.RYK 16.28 KB MD5: 3f3e437904352274ee04e77806b073d1
SHA1: 478e9718fdfe416e122f4cac6ca800ed4f74ac23
SHA256: 18987e544c4f22c4364236bc961245864cba310b4cbdb49781d1f7f4ab84e8af
SSDeep: 384:5ww4ZjkNq/bNrYYxGGgwgfE5UzurfsT2WV:5wwUjxtxOAUpHV 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.017.etl.RYK 16.28 KB MD5: b651be5e48f96a5b537116e7d102655f
SHA1: 4b6225a32cd2449317094501f6fba0c0c3484591
SHA256: 0b620bf3989e4b9579d1fa33e443b945abbcde73c55c6107ec27676c9a5af0c5
SSDeep: 384:jgZwUJsJ2jf2QhRzWC+x41RmvQujiGXMGG5aeTgX2Ne+kNlUj/hjn:jtUJ3jhRzWC+x41E1jjXzuaig8e+YUjd 		False
...
C:\RyukReadMe.txt 1.27 KB MD5: 4ee5735f110b12d65abf3fb84f42eb97
SHA1: ec3c3b5942616fc39c43155490a01b2e13536319
SHA256: a84edf098acb83ed0b28466ed43cd32cad85de31dbf313134c1fbce188d6ae81
SSDeep: 24:iVeUE1sLlHgPsoWIeTt2Ww4OFGdqvWDbbOyxGSConbildyspzRC9XYcGoDjn:xUE1sLBTwx1OvblglobsdxusoDj 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\2\90\B6D0EAFA5E8634A6.dat.RYK 0.72 KB MD5: 0c9911ab0d61cf15d56481bcbd1a3307
SHA1: 6535a9fa8ae53be7ef71745f44a2833e4387cf68
SHA256: f3a1eba5221cf634ae216246c1a23e898064cea32eed25397062273c4f308dbb
SSDeep: 12:xVhgDQgjiDDyc0tNksm0rdxIduDYKCoV1w4xzkO2uJGcud9my2LqyN8ykPIubWHF:XhgHiDDyesHvrYKpw4xyrTmy2LqyN8yJ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\Acrobat Reader DC.lnk.RYK 2.36 KB MD5: b5c56285c8098b635a5fe0ae1e624a8a
SHA1: f6d6b5c46482b27254f345af10e3125a9fd94e11
SHA256: d8e97b14831ab30f0d0a8462d65fc0f1c9584ffc22242b6e4606d4ace2ac1a08
SSDeep: 48:snVspFnMOCkXLn+BPjBSdx/mk74FaOZLW2ATCBc9IvylR4mmhKR1iUrTYffo:aVUFMqyjkt12AOB6Iv+ghAo0Yfg 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel.lnk.RYK 2.64 KB MD5: f6bdd77e459b382cbaee3c6d66326748
SHA1: c91915111ad17e78d239373178ae83153294de3f
SHA256: 48fdb0fce2d2d0d2c8ee8354daecf442d2f89ab54a7512e048b0302e3ac8efe8
SSDeep: 48:kcxJX+BDREyjOOCec0DTLCfeJGlD8abwHMH8f8Vdulgk1mRV5zc+wPduiAAVc:kgXw9djOOCevDTIeJGlDN2MHwsKUzYdQ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\2\0000000000000000.idx.RYK 0.36 KB MD5: d05f09df17049de669fd783e03219443
SHA1: 60a991dce4ee9fff81e0fe7900b4f2e2436b9dcf
SHA256: c66deab773875f5deba7146a58d00912f458a3f59003f8fab978d5a4d2395d24
SSDeep: 6:56/+8HAFQq+L0Voifmz2t+cWz9IoPLnYeb2Vjseud1czDQ1eihlsFkgEBD/Lovgj:e+OAFQq+Lefc2xWz9REeb2VL+WMDh+Fe 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini.RYK 0.44 KB MD5: a0bbb0c1fc1c8cd7f5055792759560d9
SHA1: 8fee8af6a2e34f05ae569f51bd57ac266b3a8236
SHA256: 2df00c445644c90dbb5eb39058e9bd1310648181d632fc237a6cb4ec0c18aa25
SSDeep: 12:sqYEPvZzMeHTlzN6L7f1SwV02coc/fYZfb:sqVZzLHTqdF+Qb 		False
...
Modified Files
»
Filename File Size Hash Values YARA Match Actions
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.bmp.RYK 784.33 KB MD5: 9ce5ca70571523db2aad14686621850f
SHA1: c4688e7054769426a96b6cb270478d3974484f50
SHA256: 3205b49de41b2e98eaa6872b03b48a5b689169f39b01dcb7bb4efb78fb4f429f
SSDeep: 24576:zBULrNPYuFMlSsBSun2Z+/78Vd53xzdvx:zufNPYgVsAuZAv5hZvx 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini.RYK 0.64 KB MD5: bf25a28a556d74e7e41f07d8c9a6ac26
SHA1: bd8b0fb6ff90b8289650dcacb100620605bed23d
SHA256: 3e1059ced26467b29d20073413477e69b7b30504c7fea76e06c16ad80d06a570
SSDeep: 12:nxnJNpKipgH3t5l96I5qVaK5gVuXhru6E9d/ZpQM7so8yiKmOqArKURsn:xNKqgXt796QmaogV2hrqWyAFArHRsn 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\20\189.RYK 0.41 KB MD5: 28370f29899258417c535969c5f94d6b
SHA1: 375d9e9bb71a8baf14b664da843a64cd46e66f41
SHA256: ef80b50a562a80f185729e24aa9842dc2269178ecf850bc91f00de67c5115f29
SSDeep: 12:jEMfObfUmoP9eIEHm9N2PVmjYG8hVVwy7z3KN8MBon+:30f/oVe09NiGYpJ5X6m1+ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\XPS Viewer.lnk.RYK 1.38 KB MD5: 5d710f6cc567da3fe7073422b1cd0274
SHA1: c7e8ae725989ef735acd24f28b9232c81b301a12
SHA256: e2de02c161dfc02799d0ca4b3198c2abaa2d5f969713cd961068057369003c1c
SSDeep: 24:3Pgso61eGvndu1fLpGyLiYafZikkHZ6obh/xA2BxStQntJP3Z6caHJ7yLAbQeF:34t8eG+GNVik0Z6oVxFSSt1wcaELA0eF 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.007.etl.RYK 16.28 KB MD5: c760fa2416902fd7f67fe56aa9a7a49c
SHA1: 43050ecd961def482a8fbf18a7078c0737f5c933
SHA256: 1ee55f16e0bfc150370cb2831ecc14be22114fd4af76e3cc1a0a0ed52576c606
SSDeep: 384:ZderXfZXaUCCCB128lWgtuvcRxaC9fcl/u2LkxdfNZX5Iez2SJS:ZsrBXaHvH5tXDaCg/u2LkxdzDz2SJS 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\09\238.RYK 0.41 KB MD5: 3ee75fad0c5a50aa6673412f0a81eff8
SHA1: bde87006ea9ca2d809a5021b22b98920b4f2f22a
SHA256: 2e120b317376c514bf45e3010b72f1b3089f7e064d84cce52bb7d883a1d8dd90
SSDeep: 12:I+19BSHo1EWIFrJkwOB2hn2/xJGy0t26k0:D19BSHwSFCwTAL0tg0 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Sticky Notes.lnk.RYK 1.44 KB MD5: 7478b15cb951e611c0a970591dba315a
SHA1: bac1b0aae083ff428c99fa1a3406f3b236feb849
SHA256: 3c837c37574ef673c2647ab292c3eec5a6497840846c22b8d3188a891f5e1c21
SSDeep: 24:7w6Zfec5or4NjxSZuqMiHcU6vcQ7d9VzbMGHBTXKWkIinwu19pqUnUcmCwHvN48Q:dEc5GQxSQqMi8dZ/oGHBTKx19YUUlCq2 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini.RYK 2.81 KB MD5: 705efdc9771d2bd0d19ba721bdadebf2
SHA1: e6675d7a96b6a447b4f1c7308b38838783256d0f
SHA256: 4d58bd80f77bc68f1600c07f44c9615a5819ad092c5b19888ad6fb99ce78824c
SSDeep: 48:NGVAhKj4xwavgw1Vs8W67Vk0kxxQ01LhVTPOFnr70pIw1w5j/axJ920V3fj9tbm:NGVUO81Vs8WL0kxxV1LhdSr7ijqQTvJ+ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\2\61\EFAE1E6619D4EE51.dat.RYK 0.50 KB MD5: 9c47b5cde8f9e28be4a740089f1b083f
SHA1: 165045769f51e8f467e43a6ca75bfe7ee3105679
SHA256: da2ba656f7833954f918ad6aaeb32dbcc5d78ce231123284f4fcf22e158c1ed2
SSDeep: 12:y//BlHQI3J78oGYB0eA5WDtm9p+UMVoJWAhTPfxQyn:y3fQIyoGA0ZU3ozhTPfuy 		False
...
c:\programdata\microsoft\user account pictures\user-192.png 2.63 KB MD5: dfa369344e4a7a05735aaa2ad709a97a
SHA1: e57e85d968a9f704e33fd3399c94dd25810662f8
SHA256: 3678ed28c5e1b1270c84e409a46ccbe124b305966c74e8fb7a33ea19728a913b
SSDeep: 48:MS6TLXm4OdtEAWzJ+ox7Ih7K9/BuMvAs785tNOg0e6+1V2e7tWNfRRGT5diPBnW+:Gy4cEA2J+ox7OuHvTjg0e6i7gJMT5dGJ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.014.etl.RYK 16.28 KB MD5: f08c07acdf770160ca9f24c77c46e8da
SHA1: 363e7f1d324dda6795eeb26255a5697d4a7fce15
SHA256: a9f1ea4fd455e0fa88029415fcd4edd345bef642ea3fef66bf8917f5809b22f9
SSDeep: 384:s1pnf/AVdidGjwRvm+IFKZSEbhJeVLHY61kvart6:sr/AGe3+IFK4Ene9Y6NA 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\191.RYK 0.41 KB MD5: df20b92bbb6bfc735721dcc202a97d05
SHA1: 5c8b2d41c6f80208b26a9171f910b0b6162822c4
SHA256: bc67fa908195648ef28379fbff26d64b4a4ca7acf16e44633838cfae1edf8a8e
SSDeep: 12:bwR88lq998WCOVVCnEPUq4FmUwQwnN+9OQL:si8EfNCAVCEP0UQI+9Ow 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.018.etl.RYK 16.28 KB MD5: 2e9546f59fa8e2e7068e9b169470bb4e
SHA1: 188bb513f61311c33d6b8926603b4d7aadac3a73
SHA256: 3ede06be15faaeb8613d1752b35be5daffdb2ee236471f12eedf64cc300193b2
SSDeep: 384:4eUmc9XPKyJX7Z/9XLtKKyXIAhJZ7mWpTozEh+E/SN:THIfKyVZ/rKQA3ZPpTo4XSN 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\317.RYK 0.41 KB MD5: fa647246742b6fb361b947d4d1ed9ac8
SHA1: c3fd00b0df0d9530f5d3d9b8517a64f8c7b51a94
SHA256: d19c17be36894b07ad9415b2581ca43000ce5e1a0fcd387a405a60760931efbd
SSDeep: 12:sSNQsyyB/WRzIY5bqdl8pPIjZlPObdr7nO:vSyZWR/bq0hIjPObN7nO 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\setup\refcount.ini.RYK 0.30 KB MD5: b79cd319abcfad5d60a1dc4b903823b6
SHA1: cde312aa1b5a9836b2373c6e34e742ec5409c3cf
SHA256: a5f6f84922289275196933e3345d4f69d8d9df304d8438c530dc55ab79e47386
SSDeep: 6:lzVGCN2VFob1J7ArZ26zxONWh5zXO2weCRDXvM9NFzYb46piuxLd2N5rI:GFK0ZLzxONQjOLXveC00JxB2U 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Acrobat Reader DC.lnk.RYK 2.67 KB MD5: 72be97604257b58fb66ab9525a6f2b51
SHA1: 2096842f536df27d69cf807adf3a343a0e36b507
SHA256: 6e6495c7e17eab179215f3ae9c70e73634a17887951325ec8e9d32fe86f5d2a1
SSDeep: 48:OvkeMHdDPH3QhT9eU9plbhBuapuEtas6pSQ/wfls28bPdsidlPbsT:OMvR3qBeWlbPuuuka5Jofls28bPPlPoT 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\About Java.lnk.RYK 2.33 KB MD5: ae21b145423e4a72054dc2fe48091838
SHA1: 04315b5a689e7a7301070f80154fd18c36ba257f
SHA256: c8149696df480f7730c0415e829b842a478ce727e0b6d30fabf51efd834226ba
SSDeep: 48:GnJSlAFIrX6okiFE0BSWXdodDWsJsJ0d4o7mLws3FoYjHtMMz:jl43Bli9tE/JP4o6YYj1 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Wordpad.lnk.RYK 1.41 KB MD5: 999121f24b5ad6557232561d9f68e286
SHA1: e35e797667966668d24bed814a557b5426d16bd5
SHA256: 2cb77e768fafeb44f9146dd66c6c0d0a76044a6ed130fd53ed0cc9b676e455b0
SSDeep: 24:4qYXn1wZHEE+jw7oKeeMysw4baahpRlESFITckXSuBGzcNQD12ptN9lpVvt+:4qYXIHLCwMKdZswiaatlESFIh7GzGqsE 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word 2016.lnk.RYK 2.67 KB MD5: 29d63779dc91fc4b7da0cc5ec414c451
SHA1: 67eb0245d688cff8edde5a5bba60bb322000e595
SHA256: fb72290f73d7d13f4e011f35ae9b48884d5c0b485fb2ce7a531e968546b3c58d
SSDeep: 48:j4wjErpmG4PSKbc7OJXjFLtKljWLPLmafyFGSgFqgf6IgVhEy1Ufp6zfgWU:j4wAVUPDbc7YKlaDL3fSGS+IIgV3kpqM 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini.RYK 0.46 KB MD5: 0fad7dbe16d35ff9d91f34c8d4e45a3e
SHA1: 9b4385b9b72ea52b194bba5d893b6c5d9c0ed8c1
SHA256: 6e03ce055d9e7aa7eb57a561d6a08988a3d6a11d66bea7d01a6d135181d5c9ab
SSDeep: 12:EY9UdKd2qemYxzwz7pSQqOto+ebC80fZVPEJlcF44QZ:EyUIgq7fqOve/0BVtZA 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-32.png.RYK 0.67 KB MD5: 2a8cd5721de9cdac4494ca0631e10845
SHA1: fc6d47fd3449af027cf15109d421c1f21022b3b2
SHA256: b1676ef87b0270c77d1fab4c406fd3b6d7a7a64d7e8b713d2931e3d45fd7ece9
SSDeep: 12:VoMqgcVTvUZ1oznCK6s85ATGNXpUPh5eP7jpL+VHMP8QCjWOkf4+F68wyb:mr5sZubCaIaIXpuh5eP/BGHMjQG4+FgS 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\03\324.RYK 0.41 KB MD5: 7d9258757d557b3ca1cf8038c8610ad8
SHA1: 6596abe6eb6766569797f891c94d65584b6cd63e
SHA256: 968b160d810d5b98a85b3c8b43676b9a24b75bd9d42080de395d33a5e88e4934
SSDeep: 6:rAOqF4IoHLJM0toQsp3327h04ms7CwfhLGSrBfjyeBAyEGH9Nw8TTTAkd8PZL+eX:cOtrJBtvuaBJN/Eg9pWPR+eVwY+zTy 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\193.RYK 0.41 KB MD5: 625afda9892eb294c1a9749144e8e5fa
SHA1: 42607b0769f644e507598cd115be583b32e5c160
SHA256: ef9457a1a97ebe77f6a483e2c7c57c86d3dc77f471233b6a02f0a474d1fc19e2
SSDeep: 12:mmqbUxZATwce08mkRsGXzWX9jhsvqUNeCBI23CS:m/hTD+HJeCm8CS 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\09\13711.RYK 0.41 KB MD5: 35db5be44bfafafcd428039d08beb63c
SHA1: 8032e4f39b9f8925ca9a4f8c51156e2152a343a8
SHA256: f756ea8179facc9e7bdeb6ce456e528e481c65f4738e8421fc5258f0d18d54d2
SSDeep: 6:AhvYpHW2hyWTY8Ofzd3FqnzgIIhXmwobPtChAODLYPaGQ6VhwJvuRVnluyaP+J3z:AJYppYDfzdVczTIowyeRXHGv0h4roel 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url.RYK 0.46 KB MD5: df47c7f823fc9204c6c41487f741005e
SHA1: 059729407d5114fd89dad5df746986cfd44c5478
SHA256: d35b0fb34beb249c8651df396b94c78b4c1c2898a2721a3add68170d634b69e1
SSDeep: 6:4LSav4VQvk+TC/ajxAqo9o2RGQ9nu5h9q99fOC6BKaabCKOlcY53sm3A381/P:Evxk2DxVo9o1Yn+h9q9tOZt9ym3AM13 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.021.etl.RYK 8.28 KB MD5: 5953cf626150923e94a99bb251db096f
SHA1: 6caf880d50c7bb27b96a34b1de0c2ab82e12baab
SHA256: f3d81bef59ff3af4a2be802bb006c5959609b17a4cc6cc4cae41459630deca52
SSDeep: 192:WqlFIILvsI3IcaZfD2ZPlvlrYHOv7IAlTOP:7fIIgI3I1ZfDSPlvSOM+TK 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint.lnk.RYK 2.67 KB MD5: 71e954f49812a366e994a0390fa81b1e
SHA1: 25f9dabc7a7f2872b9ca5b1467253b7b50649105
SHA256: 9e1b491ceb889cbbbeff500c90fb58bcff571ef6b2a540f3b9e7f89695dda24b
SSDeep: 48://kIYyLK6zyNkM7yUZIYIUokr3iyKZuhRXb5KP+THktowh+nhvibCxMeN00kZczD:/RYziEyUZIuokr3BKZS8sHOdh+nS+RWW 		False
...
c:\programdata\microsoft\windows defender\scans\history\mput\mputhistory\15\288 0.41 KB MD5: 392f1b4635b6d3ab3b2c4a3fa467afa4
SHA1: c54550aa798d3b9081ed416cd88f3ce9a6ad3e30
SHA256: 5d2db654fe01f380ec3ee7d9350602b4e2350793a5d5ce8f65bf0a608f00bc28
SSDeep: 12:Ha6eypeQhUtCU/J6pg3wzzIkRbT3zyOK58w2mZicIn:Xey5+CUsI0uOKJ2msHn 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\10\286.RYK 0.41 KB MD5: 595223669a0c8b13c845bb5615578ba1
SHA1: de57cc02dcdce85aefb3e6812cc568965711da92
SHA256: 39b604a72995f186c4522b8475c7caa795574cf60d35525e63c0e4bb79a6aa6a
SSDeep: 6:qEIOqdku3zjtNWiXVwyZW+MLSxaq7651ziwDmAiY2hG0ZAoPOXXDrvChEykXj7pa:PYSqzLWrScsWRLTnIAKhGbvmIBANhSS 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.005.etl.RYK 16.28 KB MD5: bee95e37d1d1207094e7bc8fbc4e615d
SHA1: ccaa75ec1a439e07ac3b2344695bda2eb8018299
SHA256: 363bc7f727273c56ea5938e6dc093f3a81e33df8787b4faa0acc294a0a15ba87
SSDeep: 384:/Xh1L8JFvBrn3rY0dBN2Bhp+WBandKoyUot:vUzbLZ2PpR40ohot 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\04\259.RYK 0.41 KB MD5: 0a829fdf530f48b23e78593aafc0e46d
SHA1: a6fa919d2f13f77b996b3ab26bbdfb102baa52a8
SHA256: 4b3e1b451abd77648a51bfb4ed4dde06432ea297ccd1df150f2bf02fcf82bfbf
SSDeep: 6:UKeCsFy1jzHbtQNNaqwObEqkpy4AR5xCE0xVo3OGZeh/1KauesHyz+A:UKeC317+NNaMh34A/xCdxe3pZc/1BLj 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Active.GRL.RYK 14.89 KB MD5: 7e8342a691ced2bd8e17aa5d87f7b50d
SHA1: 90d9caba4a89c196b1dd9c4f99526aea19a72c89
SHA256: d8dca38d5b5dce2b301da7acd9fe3075c6eb74548e2507f796321f1461094efc
SSDeep: 384:xqUSPbw/fAe8x6UZFBjT31/FWmgk0HZ4ayyay7W+UEVy:zdfATBjT31w0Ly7SEk 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Visio.lnk.RYK 2.38 KB MD5: 014ccd9ea90832b718c4d36582e83d2c
SHA1: 733ef3afef366cf2a2ae09debfc4fab27bc68a83
SHA256: 8095e1179a41ed8824da9ac2fdaceb80d7ce43a0250ec9e201af6e8a229bdc02
SSDeep: 48:vS8+M46PFNG9OvE5kGgnkZs9KJR69K/QDzbekD7P0cLEHSY:vD+wtEQv+snkK92R6dbekH/Y 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\04\261.RYK 0.41 KB MD5: 9260ee84cdd948a7f0a616e239a7fce4
SHA1: 090ecd365ce9e3070e5711484deb32f2b5fa2b54
SHA256: f8f033a3b676a5b81bcb148c7ae3c0dd424edd6f4b21b6cb4b4bcf22402f4c28
SSDeep: 12:HQMLjQvKBo3LOsld8NRUDgall+6j2JdlE:wMzBo3LOZ3UDgI+6GdO 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.009.etl.RYK 16.28 KB MD5: a83e23a51ef16db4bbb813f7ec7be29f
SHA1: 696b6d2c3ad500ba59e4b2e379e5bc3c6d222316
SHA256: 7e7947dc49421199a2f630c15a18eecb7ebeb35fb5065b541ae54265b9eebaf9
SSDeep: 384:vu5Esc/IREC+IiMvL/jP+rOykJR9EM0PSPMFDjfQ:vu5cmDiMrD+rOyuRKMmSz 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Project.lnk.RYK 2.39 KB MD5: 5251638440810f45dbd987be0874e715
SHA1: a6f45667b8fee7cb676d637abd0326b9bf20617e
SHA256: d00886f46f8030aea9b94c5832c7c4dca66b38a2b31f5368d87da687ecb98c30
SSDeep: 48:6R3Liso0kcGRbKWU7NJuuaHzxM+HkYcx1F05SIVSyKUYhza/ZTW:U3LBo0kcSKndaHzdHkYcj0SUbKUOd 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\06\13710.RYK 0.41 KB MD5: dcb79fd22992132709451cad76f83b93
SHA1: 55d150bb9df3c94bca510132c127672586b3b86a
SHA256: f4b6b54f8dfaf44b8de7f2592bbf5e8dab37523b2f4fddf3f698e7bc79201caf
SSDeep: 6:D680DfR03rsbyn1kZU0wv4nHgV+rypvTqfBNQBV239APAqIArH9X1jte5JMcf8fR:DXAby1IVwv4HCnRIQj2t47HY5JMcWj 		False
...
c:\programdata\microsoft\windows defender\scans\history\mput\mputhistory\22\323 0.41 KB MD5: bf75632b64bc8a10eecece74e0596571
SHA1: e43a6d06aaabbc77a316a16f64de97652b5e5c07
SHA256: 750cac35c9f3273cf1371fb226b0212cd1f5828784a6f310a284006aaa321fa0
SSDeep: 12:GbpIxwkBShYWA95D3hC+aFs1IJroGR6xhI1zjEwn:MpIxdBhWu34r2QrXR6xhyjEw 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Check For Updates.lnk.RYK 2.35 KB MD5: 13997acab674989f0de606ceaaca2278
SHA1: 6994a9a64afc8a31a15d818038f658d901aaeaab
SHA256: 4f2cd40196b3f48826a238dbc495e302d72d64d7ababe959f0e3611e99b80b20
SSDeep: 48:AQovPJDhxOMc/KthEogJ+F8yhW5gfL39TwSQLBLRn8oTQHM6IBL52HjxZ:DuPJeMcShngJ0pkZBLy+R52DxZ 		False
...
c:\programdata\adobe\arm\reader_17.012.20098\acrordrdcupd1800920044_incr.msp 10.00 MB MD5: 095faa39cdbe7478a562659e7d585492
SHA1: 0e54bd2bb6b536cd3ef852f7006e905f3f90f7c9
SHA256: ebe6a8e7c91a602f8154f257a71838acaa19fe8417516a43ac997ed186f1ab02
SSDeep: 196608:gRBx+kUOs3EAel2YxWCqoM4ffR/uRVr8E7ejFul:gRBx1daTCqSIGS 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.010.etl.RYK 16.28 KB MD5: 6781944f1fc1fc62a0b9cce2c3922864
SHA1: ae9e3a725e52644cefb9d2592dacca5700a664e4
SHA256: fa23639146abd1c65d8357ba957584162b587cccc40533362047de97e206089a
SSDeep: 384:VfARKfvnLsr5tvjFwxZ1GetLj5+/yw5WZNAuT42JXa:VozvjFwxKeNj0WZ9Ja 		False
...
C:\Boot\BOOTSTAT.DAT 64.28 KB MD5: 6e48e19e0886eac333612fa2e99f8023
SHA1: 96744f7909303af9090ae47a76e41edb03a731f3
SHA256: 1c3e1dea59ece439a1f2017398c10fab8e8f51184eeaedfdbd52d02e8d707ea8
SSDeep: 1536:/Ps0yoopRFvUp+xsfYQ2qJgcm7/vIZnyyaT6MZrYo9/w1B2G96:/PlyjpRep+xamum7/Kny5JrYo9/w1gGc 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MpDiag.bin.RYK 0.39 KB MD5: 1e86e8aa2affb4c523ce95f39c9d2855
SHA1: cf53a76a7211c628fe60b7f289a2053a09cef88c
SHA256: b8db1b7e17f7156f35cb6dc88ca77bbbe45beb9852fc95490533d5f1ca999abe
SSDeep: 12:V2pgt1zfkfxrmwx58BYrewOQ8cV0v6feJ:V26vkfJmwx58BYrebQNV0SmJ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\263.RYK 0.41 KB MD5: e314d471f98f73d3dd62604fd7ddfea7
SHA1: 07a672f364fbfec5bfe242809b3ef3c3797ad25d
SHA256: 90a84369b8725eddd2afe281a8c8116dd380f8aa68212f1c690a5aaf99a49211
SSDeep: 12:RwLsgboYR4RETdYRKRvvnMYLCOuji9wdT+HfhX5YG:nYoYjxMY8ji6dT+HJX59 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\260.RYK 0.41 KB MD5: 383e19bbe28ec72d76dde73a8bb641cb
SHA1: a6f630ab949f154ed50a3d7147b9a6dc7da9b171
SHA256: cf26a515eaa16318193585cbb373e2c3c266ae05ae0181f548f003de357750ef
SSDeep: 6:woMHcauxOjxtV1E8JXAe6iUh/vl5U0rJJ5RfXzK2H3lfl7YN6Ng4Uo/REjdshn:w7HcauoLE41G/E+JDfvIN8U2qjdg 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini.RYK 0.64 KB MD5: 436ab3304d8b873d810cc87057a97c05
SHA1: 05f6b9f01c402869b793ab3f763081f946ec4bf7
SHA256: 59df6f424a8cdaabc43aef5c28e73bb299cd830d20d908c8d078a23acdc3b858
SSDeep: 12:zHr76evBqISHraS41AJILK7KgRwRVYbPRtaONBTShCBcAVQlRR9F+KfTaHPpgZ:zL76eZ+b4dkPO25SYBccOfF+Kf0BgZ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\198.RYK 0.41 KB MD5: 6252d44a67eaaf5eca31a1d22919028f
SHA1: 5bbf03ce8df9b0e0def8a93c8800accd792296ab
SHA256: c10ab43bfd38609d3fb70c89eab79a111dd4f677157655bceb83bd8c32a20e58
SSDeep: 12:W1h4LueGbPHiYwzKarTobMRTE2SVGZj4yDee5CVM:WUw/iLzKKIYg2jZMs 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Devices Flow.lnk.RYK 2.42 KB MD5: a5b81558735503a12d07bd4949d9b1f7
SHA1: e72155f9431cdcb586ca672b21663e461670c876
SHA256: 62d70b204ac256e00c6339fa6b6ca078b27fa407525302497f823a00b3c0552d
SSDeep: 48:4G5pKEXbbSGTyOi1Iung/y5DdGT5w7vjxvWwhNfnko8+rDEnb5OGBeoGRs:3f9beGOruymFw/xvWindr0eoGRs 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook.lnk.RYK 2.63 KB MD5: b6b9667135c28867eb8b0d9a2c9ab082
SHA1: 5ef46b9ab8a2170cc4feda092c44603292b066af
SHA256: 719637be00b991ef67e482e4e3faa3e9217b5c9b497d12cf3e227adb024fea9f
SSDeep: 48:7HLbw8dvrzF2bfYqUQbMWHAqwABx4/dEbE6OBDNPLF:73bzKRbMmNz4lEbE6QPJ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini.RYK 0.44 KB MD5: 1bbf85bf8d80c2707dfd86e9f5eac340
SHA1: 1a2407f6fb7f0f72dca03c83ed47e66be37a402c
SHA256: c597c78f930b4cae6aa4e00bb028fc4e39bce28b81fbae5f67e1227aa8868137
SSDeep: 12:pkt8bIySXrnqUsP00Q+dRwK7iolCgoDHNwm0Yk:Otdt7ncPK+dRw8iiC3imhk 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneDrive for Business.lnk.RYK 2.42 KB MD5: 460b5756adfb11ad91290019d7c1050b
SHA1: 605fc04caf74984986e4104ed56997be6da76b94
SHA256: 63949ca75f9496dbf6e36d8d646639ef4a61018f5db1b7e76c86a244d275c9c1
SSDeep: 48:eABwLVZBoeAQ4o9eYswZ9RX+U2hCb1YKmyFMdmxpP3SwKfQYmh6:ejLieCJYpUhCB4kMy9SwKfx3 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini.RYK 0.44 KB MD5: c1904bbc4d16c09d11924eec6ce70159
SHA1: 3df3b3c384159984af846493892fc3c368b02bed
SHA256: e6d1d9c5d642717fc39bd29a10070a5ea2a32109f3e99d339f8bebb6875d05aa
SSDeep: 12:B0KWp4vtYY5t3gMbIWNAJxwDTg+frCkWwX3vie23ao:B7lYK3gXWNAJxwDLRnviBF 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access.lnk.RYK 2.64 KB MD5: 882485d5140949b615c2aa5551972e77
SHA1: 3b358194f72983f6fbcda7c87a854fce3b7dcda9
SHA256: 479af70faa130cc183e5fbc3abf1e2951f6cfb470d9d047077cbe74016239eda
SSDeep: 48:UTY++U56QgqR6qovknK33pxNgE0lCbzkmxAE48g52Dlmw+QJ093KWpf/2sipsthV:I+6RgqR6qg33pbg9Yb45J8g5pxQJnWp3 		False
...
C:\BOOTSECT.BAK 8.28 KB MD5: 420177e81b5d588254cb266ff886e1b6
SHA1: 21a11f7e5586462e204ba1bac51511f4d7f68e02
SHA256: d7abf249fafefeb95f7d3ef44b02210c202e3b5e6f8642cbe099c5a57dc44297
SSDeep: 192:d8oNqu7YEaBXDkJbaUCm8XQQNvuk447dsMnIekdR4fN3Hl+:d8GKXXabL5XTk2XdR4l1+ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Task Manager.lnk.RYK 1.38 KB MD5: ea6864908039f3431e4985cdb1021391
SHA1: e1acef49ca309d0bf57527b33bf05769e873be9d
SHA256: c9af767c3aad9c814851f8209575aa2945883950e90500669a588a8a042a9e35
SSDeep: 24:VLg/Qh1HKfqxmAOVaADXuc+GTDzVuyfwGLaYG+jGhMKb6H3uxnqz3dK4aan:VLlhNccmrcc+G/ZFfwGRDMMKOHb384aa 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.002.etl.RYK 16.28 KB MD5: 4e94a77c32a6fa69aeae9117f51aff50
SHA1: ec61c1011cac1d4f883fb43767f348304905f035
SHA256: 3692c69afa0e608afc2b12f2bb7d16f8807b82bac1320adf7c9d6edfa64e40f5
SSDeep: 384:gSci3EiEYvomaxtBwuEFdLrTRguU/rnrRPKTtBGEf:OUEishtBwueHTeuU/LrZKTr 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook 2016.lnk.RYK 2.63 KB MD5: b035e1fc1b2341401b6e04f7e6591917
SHA1: 7fa2e5d60b8c0be47f46fb6af06f9352c60e542f
SHA256: f9ae7548a61e0d74e9a2948b7a1da2aee21ce88dd5b605608c5402d6eb967bcb
SSDeep: 48:q1zuVuHKK8KxccmcgB0AJq6ZPRAa3+3EAQpZ5nfcY1E+VbBTMn5a/LK5o+4D:JK8KcvN9YeSi5fcN+Vb6n5aO5ED 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Math Input Panel.lnk.RYK 1.42 KB MD5: 320b22529433a6193057ed03798ad8be
SHA1: 4893b176a35de20b609e5d8ddeffe46d2e21c05b
SHA256: 1243c4b127e6d4c92a46d1e80f86fa9cec7daa5b3b26dfd7476f100af61b96be
SSDeep: 24:/NyuhwQkRosswB3vpS9lMfRqu9T6L+cFZDzysQzAzcSexgvq8VFWN8RQn:IuhkRBB3vpHfk2TI+cFZDzLzcSchke8s 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.0.xml.RYK 2.21 KB MD5: e22e9bcbb84cdb870fb9393ad63c76f1
SHA1: 45a1da6119648b4083bbcfea2bcc46f1c15199a2
SHA256: 16a843994e9d30634d7c18db3fd6e4cddeb6f64fbba8372e0330b82654c2c8d6
SSDeep: 48:bhcJh3hCTa+lgk06nCmv9eaHh+e5lzWbDp/WshXq64bzti/izX/bVXWtx+:NcrIFyk06CfaHhN5Wl9h6g/K5XWH+ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.bmp.RYK 784.33 KB MD5: b582be723b9100ce350ea13bcab06cc3
SHA1: 6666cd59eb1e66d9a754b7ba499134576fd4d9f9
SHA256: e59dcdca51aac31b2d48d93eebbb50013e8e304a48e61a8141384b0d0c508bb7
SSDeep: 12288:yfh8rkzA3pMHAWYWCLCg8An5LZ8Nz7NJUo4z4y0ApKaV75oh06T2bPU/QcCj1Zk:yZW13SHApW4CC2rlNM75E06TaU/fys 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\installcache_x64\baseimagefam8.RYK 10.00 MB MD5: 93eff481a09d4743c4672188709ec76a
SHA1: 484a1b7a9096b48e9535fde293abda11f4845dd8
SHA256: 118d6d609e83e7e53c91c8d330d36d6031a48861577d150c83e9469bd05ee1c3
SSDeep: 196608:VyqECAMrm/WyvONqviB7JzEShAmGmuHUeTLrbhN8+TEhJ9WuOKlj9vQy267V:VyrCAvfYlEKAmIXhNm3bYy26R 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\300.RYK 0.41 KB MD5: 763e562185d7c950e6617074577d3b95
SHA1: 5de138ae8292333d5260e6a62ab84052c62fa512
SHA256: 5692c6faa62cd0425ee575f58abd36b62569504c326760e8643cab015eadd704
SSDeep: 12:A7P4VJWC4qN4yTY4Yz+xUYOpE785KnPEu5RKydpn:2zqN4L4YzfpE78YE8g+p 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access 2016.lnk.RYK 2.64 KB MD5: af51e5c3923d9dfdaa409c2049dd09a6
SHA1: 822328de07965db94a1ad38b63602c0d6a8ad34b
SHA256: 7566c90f9c5813731bd755cf31fac034234090f1f501675f3c3402c8284baace
SSDeep: 48:erAKwc/gwGg9JZPmDuLyq4vH/kvjCknr0VysZxO29+d56LnvnbQFlQ:erAvuJZuDuLyq4fabr0V7x3i1K 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.006.etl.RYK 16.28 KB MD5: 250ebbb180089ffe82a7d8d8332e1393
SHA1: e53687e5f9f16eacc718400d6c68679a60b50e0c
SHA256: a904f9e3309e8a0b79aaf49f54edba3d9a2d2463e50034918061ed0b1bad7792
SSDeep: 384:pjQhjDEBNY0OMM/GoOb5vHoa9bfXf23WXUq54HtZAN0/O:pjQhjDEBNYR/cdIKfZ4NZANb 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\09\287.RYK 0.41 KB MD5: bebf2e1d1628deeb22e503fd69220559
SHA1: 1826de8c220a6ca570af750007398f483fa6d562
SHA256: 9a0230141548f028833273c11743239c2cb009607f1670aa149a472d62bcacfc
SSDeep: 6:y4Dok4SjvGAtQWzAQ62W/1p3P1lAoiqzMOGwF/RBFCgtAnnUEVQRH8rxcMh6Y:KkJuAtvEn2WL3PLNiqIO9ttQcH8uMhz 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Search.lnk.RYK 1.83 KB MD5: 724ca372ad76045d8eb691d86a572f7a
SHA1: 0ff2396fb1e061644f4513e1ae372b108440e1ac
SHA256: cb1d21ab8b7cc44734050cd0b31da71d38e9895ef0ab57ce6f8e4e458c3c3bbc
SSDeep: 48:12A83U+By1+g7DzVW4UscZVidXGXNMin2VDys9+E:YA83ULH7c4U8dX4cDyK+E 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\3\0000000000000000.idx.RYK 0.36 KB MD5: a1d1fafaec278573ecc7f9cc093355b4
SHA1: 0af3aad604c45d2cf92fe536b961979893ff36b2
SHA256: 2b316436037a037682cf785efa40c873d0239b6507569a1d27117e62a0b07ed0
SSDeep: 6:/qmphipA8rswauva8eBhqePTcLXxM3wK726aOnOKZ4mKGQ0poeR7jRp:CiYfaga7qeLcLqwqJaIF4j0mU7tp 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-40.png.RYK 0.71 KB MD5: ba4412afe06b8bbc5711659b477cbabc
SHA1: 2e098b05d53c4f7c6955c7abe1fb0370bc611689
SHA256: 74c8c637b42ec53b4f4c4f5a3e4ab7104808fa7ca1be1873ae0fcc278daed0de
SSDeep: 12:OnNP4gi4SQ4paBomdWlLdMEBalFtOKopOTa1QQtq2XoPC3jiqzev+DXdVQm9jGgT:Iggi44pa/MgtOKcS2YC3xzfRjGI 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.png.RYK 5.55 KB MD5: 2193c8a35256f069edd30c168f882211
SHA1: b585205867c7bc5a86c26011b6f7fe7d3dbe5d31
SHA256: a2d0f37cba94fde01e8db6f5a453f8fe425aac9e82311d2ba943b180c75a4682
SSDeep: 96:HDTpWv9kY8+mF9cS2DSB0/CnrhBhspmMuVJJl2GgNkIbXOltkTZhTYHmFFuxa085:HDTpWKYX1c0/CrhBhz5VJJyuIbefy+HC 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PrintDialog.lnk.RYK 2.42 KB MD5: 723a04b937a22ae937a4f92788dd5f88
SHA1: 969ec4dc06a785629c3307bd88b884c9acec1473
SHA256: 5efeb4844f7cc8a9b18af6a23682b0413c3a7ed949a6818e5a73ac56328509ca
SSDeep: 48:36qnNaULR1PZ3tw216vLE4FHLvsRsvB0IYIk+4l6dPIXvYrkJ/Af:36qn4cfRcvA4FHDskBhkJgQfx2f 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\10\267.RYK 0.41 KB MD5: 2a0f1f959acd44c21da32738675d22b5
SHA1: 8502d47a433b993e4e1f4a37329c9ea4b448e1ea
SHA256: 29c12ccc1e8de10cd97f8b15258406345315228ac4625b2fd784d5b0b9b37ba3
SSDeep: 6:zxlgbSX3xtuIuWEGFDG8wsG6RS3ob+AXUomCDGUf9gXpPKHOolD7wv3Oecx7hDBi:EGuIuWEGhFb+AXHyUf9ghKHOIQcxdDUD 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk.RYK 1.60 KB MD5: b4e7af78e4ed074999348fca4d337ab8
SHA1: 43662accdead9d3602c6ffe8c37d4ab0d37cbc45
SHA256: d1bd1c9e94e56824362ed879fb1c0a2e8ca7e01c6e61c19abc3780bdbf947072
SSDeep: 48:e4ml51gPb6jjZXUxeVahWm8i3ytuWNSOv7Neh2+k:eQ4jZXseMj3cuMDokX 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\11\200.RYK 0.41 KB MD5: 7f87e4922997c836ab1244fe624a6a62
SHA1: 66c115f1ea6131e52bce53fc8f739f51ddc5bbc7
SHA256: 29e521d1118f16937511bc9fbe45837617bd72035ae2e7c84b3fb049de726c38
SSDeep: 12:kct09ErWal7qB8eDmJk1M7fKjg9q140vToLG:kct0ardlG+eDyk1eCkIv0LG 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\262.RYK 0.41 KB MD5: 94475675123c38ce9934303399dfefd7
SHA1: b8b7e075c5d84c75eab1297caa70f5d19eb8076e
SHA256: 3d1d4aecb1c203d24866df4dd5f1d0956feafdd74aff4fb1fc1696b51ef34bc7
SSDeep: 12:ii2/FpsX2v9HVY+h5xtHgq26soDDl0deidYyW:ii2bsXElJh5Apw1IevN 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\MiracastView.lnk.RYK 2.44 KB MD5: 5ccc40f290651d1865a9d02955d6d0fd
SHA1: 045e8bbef6c11998f288f281c1352859419e32c4
SHA256: d84723f1a20239f4a3a68b3a304adb5f8b7017ad11b20011c5cab81fe60af3ef
SSDeep: 48:+bNpq/4uFVjajrzBMMXSKg6bW4l0CvWfyHDasLwIDrofPm:+bcLjajnukSeWCxH2sLwxe 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\07\273.RYK 0.41 KB MD5: 5530a64c30830d98d35e9eafeceee7b6
SHA1: 9a3ccbda84a1e2f8076acf442becb60e26265c1e
SHA256: 8db75ff8302ff2095282cf393303be331210dad618c6780a415f7adfbddee9b5
SSDeep: 12:DrKuhj9mbkrE1Zsyh911EN1QNRXWUvpkD:HUbKyh9/EN8Xbvp8 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Live\WLive48x48.png.RYK 4.83 KB MD5: 0c878f7b49de064c61e106fa9c137194
SHA1: c65063ff0ae4a96250dd107240531e48b8af8434
SHA256: 153d9fa7dc952761d9017f2ebf77dfcf139f84ffabbf2bada54c39368f871b17
SSDeep: 96:lftq/a/iLj9Cr5pcRm7MyG+qQV6WrgyGcD+dJnWTzwrfviLdxdqpgWw7m5PYp8WI:lftGa/iNCgmM+p/rgyG8VPGCLLdmw7sL 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.004.etl.RYK 16.28 KB MD5: 4d8c899811ea2400e64d76deaff4ddd3
SHA1: d0318ff2d2a639f5ab8ceeff71de9d969b12e4ba
SHA256: 13a3db2c9780179665950d246f31cdae400851fef4ecd93b0aca965029a8549a
SSDeep: 384:bp0myvWxnvePLdY+rRC+TbiHD8za9POaB3AUsyp/PFJRPtmRf:V0mkWlvtG93byPO9UsyNFJRoN 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.2.xml.RYK 1.63 KB MD5: fd3d26974a83fa734af50c7d40cc2718
SHA1: 28021111e6df20a673a3c960f0c766a21beb9027
SHA256: b160f7a2ac03d9d59320db9bafb71984ee0188b1e959cd0f4ef6a215aee0024f
SSDeep: 24:hdyCy1etQ2eBehyuExuN6rehaLqZMc3TvSNVIF9CgiRcS1DHVUyakSipv/glq3:LDGeheBgEoN6DEv5f4RBDHVNaQ5glq3 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\10\197.RYK 0.41 KB MD5: 038736e5c6e549a00e1d347541035313
SHA1: cb8c6eeab07195c5d5d2b4dbe528f5c29b7e9cd3
SHA256: 7172c5d5d8b370b7927e28661a64d43640d5f31fba4a012b47ae43b397cb7e1f
SSDeep: 6:eT9ouBd8EyZncoHHjRSu7R2JPPiQiP6eDQ3OAUNiROlBJDBxRSUeq9ZQLZC+mhn:eTZBdNy5c6rQg6eDQ3GNnJNnSzQ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini.RYK 0.55 KB MD5: 458298eb43d8ba28c0ae9699aeca87ee
SHA1: ef7896f15ff4321bfa9ac5d58a53bc1cf4aa9b22
SHA256: a5a5906aefd51bc3bda0f034ffbb6a123c48071329207676d44bedd715b761d2
SSDeep: 12:7kPv+WfW8jiYiAUaaOvRLDm7HNdeF+sc/ll03Ygxn/fw9TKUvW:YzWwiYgalRLy7tdeQscdlp0Q9TKyW 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Desktop.lnk.RYK 1.11 KB MD5: 415c401c53beb61736eda7c6b6d2e589
SHA1: fb2fc93c3ea438cf45f431fd8d84f85aa6b5d1ec
SHA256: b91e2f649b170bdc561f55d30c2e11f8eca6881504c6cf17b878b32606dbaeb1
SSDeep: 24:NMoDGfnWYH8xcCpbv413GH7b2KzR7KK9V3+7QKU0SlrTG0CLi:NVGuYH8xFpbv41Gv2gRxV3+7fXSJilu 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.019.etl.RYK 4.28 KB MD5: b94f28f6d32fc5eb0c17e728eb1227fa
SHA1: c095133b18c470e8556376f3ca085d4b18bdb427
SHA256: 0cad2ffbde50b5a9117bb7236123a94d64af6c4f6ed1e4eae4c3cd47871f9931
SSDeep: 96:MkE5By/Jtpjd9mAmfoMqP+Uhp26TejO5bGu7eR24aGiO07c7zQRQ5ldXeta:MqpRoVqWUhp26TejOVaQ4rVcczrNz 		False
...
c:\programdata\microsoft\windows defender\scans\history\mput\mputhistory\18\107001 0.41 KB MD5: 29d12ddfb713468898425b99bf1d3f11
SHA1: ee6de7bf9a498003afca0219efee507b0628690b
SHA256: b4dcbe73f727185a99bb5d6f7b665f4b00b0bf9b0f2e9be201a7100c604317d9
SSDeep: 6:LPcRYAxmFg9iJf2v6LeJkprSdtZpYbqyzvW2OS+o684HMPnU+z3BN2J3Kh2EXB5E:Tc+IzvhkBYZ2fzvW2Lx684sFY6hlBi 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word.lnk.RYK 2.67 KB MD5: b013a840466204c19bb128b3cb5bb252
SHA1: a1333d1353c90429087a8a6b64de821389d89d83
SHA256: e3471fdc4b6fd03269e7c3a5bbf42a7d55d6c0c7e82eb6bb28ecbec0b977e100
SSDeep: 48:LN4pwh/eOGXcUw7K3QGC5SLw9sgC46YmCtvqrP1sG2P+vexAs3WTwH2NK:Rcw1e+UwuQGCjZNtvCP+GHWFWc1 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-48.png.RYK 0.77 KB MD5: 130b78cb1a1a0c495e642ad0fb3bcbd5
SHA1: 930a901db07b0518f044211b8de447a016bef63a
SHA256: 469b00ba1fb47543410ae7301ab6aea1c037f2a3d6cdfbe9d5d2b2cfbe926e3f
SSDeep: 12:Xc3oy4k5a1dDeJ6jrRjMRbgT+SZmNCPQ5IrCkiLn665HeM/6Cxn:Xch4RDlxVVIN9fki7heUxn 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\14\9664.RYK 0.41 KB MD5: 65bfcc399f84b89ecd04dad4f64297cd
SHA1: 92145c3b6743baed2b56c4bc28d894de2dbbbf7b
SHA256: e6a3abcb7d0e8348d5ae6aadd3decd9c1146d9fef8f2f99fde519e1b4311f4a0
SSDeep: 12:46jYa1wQS1UE/fk6UUrF5fjgIej8hti//v7GkLWB:4uwSEU6xrLfjejMIXv7vO 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Immersive Control Panel.lnk.RYK 2.56 KB MD5: 681badab6457c9d167a97f6239acc443
SHA1: 7ec5b7eeb0a68b5066e1d7fe0d5bad67b7c2deab
SHA256: 6dc61a6e8af41938aabdd9173ff7e10a82b469accecc23a1510d0b7f3605ce63
SSDeep: 48:pKG97+wgofEYJtLQVGHEJ2JvrW7ZO3IfaoPgcqTA03hW7SHaEcC0qAgF:JhlgiEY/QskGW7Z0iaogWjEcC0rgF 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Visit Java.com.url.RYK 0.46 KB MD5: 1b20a6b23cf36640858d1460c9c1871f
SHA1: b98b6996933f6d825054d8caa97ecc007b9f6258
SHA256: 6b6adf2ee4432dcb924c364b70defc61b392202cdbeb4c7f08436246c1434fe1
SSDeep: 6:WXaYvG+px8nkqwF6bvlnmVJXJ82gZyVDTVfZj3kQdRk6tH9zOYmjAaDBySge3jAL:KafexYk+mD5xD7Zj3ZXH9zOXAsySvC8u 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\272.RYK 0.41 KB MD5: b3bd34768ee58a519330f77cbaa29c59
SHA1: 0a7c81969cbdcb4aed5d2862f70d13cf4534c6c4
SHA256: 9437531ee0799185eafe04155c3e96dceaab6f31860e918bd05442ba98dd2801
SSDeep: 12:psNoqw8vQ9kri1LIO3PWSH/xoRdE8gLJn:iNdw8qx1M4VORdEfLJ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\dfrgui.lnk.RYK 1.41 KB MD5: fc39a0b01d2ac1ce027b772d0099fad2
SHA1: ca2dec6f87e10bb7ac67875a4c131d121224dac2
SHA256: feed7808ea5f7129487a69e56041f36ba1c130943a7ebc656ffd8babdc1088fe
SSDeep: 24:pjPEDH9R/yF0LfAuS/3conSdCf7rv5t/wSX1Ci4as9BEBeMajggWqthDLAZeQAUH:hPEhRnzA53SQfZt/wSX1m8gMaj1PthAx 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini.RYK 0.44 KB MD5: 5c00961b9ec206e12bc354b01dfa5a2a
SHA1: dbe7965998592fc30f7433c1cccfbdeacde736dc
SHA256: 79c75968757b514be281a6aba8dafbd0022b98b234166d0d7eeabd6ea92bc703
SSDeep: 12:xvpr7uHp26dMkYCcxkkYVpyNniHZLDblQyo2CKrwi:xvsHM6dMkY3kDVps6Z7lQn2lrwi 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\328.RYK 0.41 KB MD5: 1db822b509e0bbe49c5e57aae6c05399
SHA1: b47825419052d54d8b433ac8ef19caea0e59d407
SHA256: 1b1fc793f3cd2de498d5a479a9c37537b07a98357c7327915a71d4986321c8ff
SSDeep: 6:BMf57XBA2vu8l3L3cmRYU7JuZhN21iu8GPTehQ1vKWecJ7x3oRQ6H3ao3kExF/dv:BMf57hvJLtYUo9sehmbx3N6HgkdUDi 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107002.RYK 0.41 KB MD5: 3ef479721175622e55953e0ea80e15cc
SHA1: 825de57d188ef85dcd55f1214ac290be73f0e701
SHA256: 92bf63531a80333e20912a5b186d4c43151e6dfb27066437efb57170e39f9d14
SSDeep: 12:a4TCdIlhczbPcU7avtyazAfNUF/yetz1bnDPsmdrnOnUTN1G:xgbPn+1Rbz5DPsmdrnFZM 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\199.RYK 0.41 KB MD5: 05305617a2e228f5c8b254e3f62e3c6b
SHA1: 6431cc4dbca7f373c339da50eaced82e03c0897c
SHA256: 3e187699dc835b695a842e02501fb509647ac7c586880ba4fb6ac448cccb5b88
SSDeep: 12:SUJnWgzk4eJ/Up4pRY8JOAbL+BE9qH0ny8SXSn:SMWsIRY8Jjfb980y2 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\1\0000000000000000.idx.RYK 0.36 KB MD5: e5f4cf3e79db54c833e5d1f44bdd64e9
SHA1: ea9910f9b5a3fbf113aed08268dbffcb836882bd
SHA256: 37630ca38fd66850fbfcb3ae54d87ffd598136402fce946ab2e8a234ae13fbc2
SSDeep: 6:CRRxnAFyvFHwRK7YSPHvmd4cpAZfkIDlLH99cbXjxBPd+T6AaHpSCTxDOKI:Qxn9kK7HWRpAZcI5dW/j/FrI 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini.RYK 0.64 KB MD5: 8d3e365a68a9dfdb44e09d78524f36f0
SHA1: f1b0362cf559ef383441a8d032300d1fc3a8681b
SHA256: 6cce7cb4a80823bc98c49c27761a96ac09cb254752b061f61a4274d52b070c74
SSDeep: 12:ML1i8Z5jMXFyFmdo2kGvv7ggDs3Bm5B6z/bfnxQZBpykw:25jMXsFV2kYjJQoqznCB0kw 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.015.etl.RYK 16.28 KB MD5: 08cd920090ae26a8a1ef6e221804ddb6
SHA1: 15d26cc4a8bb4cf62bb015904602498d554514c7
SHA256: 96d51f0e025902114afe0287911259973386b6bb07cd911a1a1ad8af5fcd9644
SSDeep: 384:7kB6XsUnOP7DXXdI0AYsWabhn5SKBQLnLxvHU:7kBR8ODTNIwun5SKBQhc 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher.lnk.RYK 2.63 KB MD5: f21706445fa097fb850c8feb6211e4f3
SHA1: 1f10de46b9a025bc1f2463d351647eb18d7b2933
SHA256: 91a72e360549216d7523754e47ab4a52859b9566d5f4fd4077a6d3af06602ac3
SSDeep: 48:REadGV8lSOQjuS2eolr5XrLt6fFGkQHCw6xiK+POyZ98ZJ3DUt7/Dj:qafo7juJLH7Lt6fAcxi5PV98/IJDj 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Snipping Tool.lnk.RYK 1.38 KB MD5: 3da139dc1bf89589612bca83a5768faa
SHA1: 4fca3d6582ba1d3887df8d4a4fdcb59c07b2a74e
SHA256: a1729cfaf9935ae9916522a730b2e8fe9890bf0901d4037939572e5ca9f66d6a
SSDeep: 24:oFdYhQvvCJjh8HIeDoAHHQzjy0uXhyzjyCc3w/+erbUT9sZakjVf+fMdUd:oQhQHCnSIEHge8/rBbUTyoG+d 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.1.xml.RYK 2.21 KB MD5: 9407fde948e785b159acefbdf9bafd0f
SHA1: 7c8827316422b448b27b9d72562314dda44a406b
SHA256: 3e8a7d1ca8f1bda7717ba6d388811d2a2d504e2ef8e5b8cf1f218ee6e5f02c13
SSDeep: 48:0lsrAp7MhfBF0lpvrax25j7UJu7Fh+8JMVPMIvamCi:Oj7MhfT2JV/+nPM7mCi 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business.lnk.RYK 2.67 KB MD5: b9b931dc8944e691a7510afc9bd858bb
SHA1: b8d38a1b2ec8adf73a351354690437a34c8e2732
SHA256: c3f93dfaad54df5902ce4ae44b12fce33441bd52fa6476f8ee5e939362f30ecb
SSDeep: 48:aS9JFvKfYFbZYc2TAjkyZ2NxcLtaroeNSu4BoHRt/sMkAKT:HovcskoYpazt4Cn0B 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Paint.lnk.RYK 1.36 KB MD5: 3f244932296693630baace9f5d47cb23
SHA1: 13de4ed150a68e5fca401dad2dc19218ed2afdc5
SHA256: 39da025a90a13e13e7de0ffd8c42d530548bd6e13bfe7dc2cb98279f192aba92
SSDeep: 24:kEv0qr8nqXvLCc32Z1zvLvP0k65JH69bi3ZiytBOqRSJZEp:37InqXR3i1zvokkH6YPVp 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini.RYK 0.72 KB MD5: 0a2f700037d9f8fff3c573b4b8e641fa
SHA1: 02d82743f73d21d219cb5f85c1148d9e6fbfce21
SHA256: 4c90df74def91154eeb70a2122c4a5aecc946cc999b4dc78546a62eecaf53118
SSDeep: 12:e5rDarKKlxDaS38vaSwgcSGTiBQ2W9Tku5l+C9XXF1POKYQJcYpvGPGWQWmwCDLn:eAeKlx2SsygGTi2k2wQzPmQJjEQt3DLn 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.008.etl.RYK 16.28 KB MD5: 86158940cd7e8c0122122a8b6235cec3
SHA1: 270ad42d2484a1d534dd5bc7850ee7c7ba2a9e48
SHA256: 354dc8bba9c8a43f94a53046d4918186fcebc0d180a7bad6100df3c528fe2701
SSDeep: 384:uez7XBfUmZTqu1cewfdnwACTCsJWIy3FJD9I/ABntYzHdTZlCDN:RHXd7ptcNf9wRCUy3LDK/AFWnCh 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\271.RYK 0.41 KB MD5: e4387a18f7a4e6bc3e6be3bd94b1c1e5
SHA1: 869de5a88a5b1462074b7342d2662a6451d2ccb0
SHA256: eb744f483b3f0bb688e3920b1743c1f68c9d1efe0af2dacc66c9f60c3feb3325
SSDeep: 12:gvUyax7edcyfpTDz3Dr8BFfxT+wQ+g8uc4:gMyax1yRr4f+Ouc4 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.016.etl.RYK 16.28 KB MD5: 47a176790ae8314a49ac659f0a4d73c8
SHA1: ace62e3d6ff3be7c615a71b9f7df0be36bceb60e
SHA256: f328506738183e312da5242cdd1fcae9590f579c5f3fc79e9d396bc8a7e22692
SSDeep: 384:tLxrKh8UvpTBbD+MVI6QGLpuGugujTC1z2SGNW:Qhtp4GoGuHS/d 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\00\192.RYK 0.41 KB MD5: f2daebf1b1a8402c9fadb8650bcae201
SHA1: ec05a739f4f9bc9fe1ae328bbc929afadebe777c
SHA256: 8ee8b5401974afb7756a42d766850cb15a3e51487712c333fdb027019be97c68
SSDeep: 6:UGBuv+RsvKw6LFPAqXhLSOVXI3Tw4wPPTbxzSvaXbO3O6Qw1eAO0yHSAjIyBTd4S:JhAr6R3hLfXI3TwBzrQ0w1e90VEOgV 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Default Programs.lnk.RYK 1.50 KB MD5: cd3966e781e4e76442632218f555b8e8
SHA1: 1d56693e799a4dfdc04429d3968db3e04b602524
SHA256: 14bf7d93d54578ece784b399bbcb171876b7af5d6fab24d76d6c7f6fe6979203
SSDeep: 24:8aV52CUTY3dOjvbNDs0mzNZ/+U7f5iNS55TKrugyKv99GAbqZSBrRf15B3/m:ZWqdm8zNF7xyuPJg99GNSBdX0 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\196.RYK 0.41 KB MD5: ed17bb464e1545aade3cf96084b65514
SHA1: 4a24970913ae6dd25afa04b2129eb4432a38a888
SHA256: aedb4b79832c18859cde08b1d282212401d5047a9fa2823cc484340057b8894e
SSDeep: 6:8kQyuaox1EOuyO0KgO5N5bVwmhG7CN4HNkVTS5eXGnUB7BH+8+eaCz4eT9tFR38:83a+iyI/r6tMSAXGnY7Bjlapepts 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\services.lnk.RYK 1.41 KB MD5: a9b56eacabcb51710ecae7312085b558
SHA1: 56b83d7666f6976325e18d9068a19789fa520ac3
SHA256: 70d446f374f75589b2423b06dadc22ebbe68c91271a13723c25e910fbe276e64
SSDeep: 24:v5g0GZxW0vuPy+3I4hPXapCbWziNDTVpxm8dUe3L54jV42u62xU7n2Wx:v6Zx9ZKI2QsciNHVPfdZAVLUQnh 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp.RYK 10.00 MB MD5: 67b48049beda10ad696e396fef39d950
SHA1: 466a715a1de5dacb24e443458f0ab5d385a7ea5c
SHA256: 54b82ab40de4ee022d1a67eb445edd900bca0db3861886170d9006947496e008
SSDeep: 196608:gRB/okUOs3EAel2YxWCqoM4ffR/uRVr8E7ejFul:gRB7daTCqSIGS 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneNote 2016.lnk.RYK 2.61 KB MD5: 606d9eae079666f684b6a831d0cd4587
SHA1: 4b7ce3719cc26643d92970422e4e17a66e2e6db3
SHA256: 62dddfbb666dfd9546657bf8117bd9a8463898725e38e457ceb7f2ca62c92555
SSDeep: 48:RUVPnCJskIsh+MIj1KK1oIdsapcTw1j//XLY1KO9lInY47eVJp47Yh1KbNGWW:RUVqSk9hyNoWcTu29lIYseVI7SKbMWW 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\266.RYK 0.41 KB MD5: 27375307c83c8ec8b5ffa438309f5e5f
SHA1: 5a8407ff336a66dfbccca4955f43f4d4e48719ea
SHA256: 785de662f63456fc1871a1f565342896fb0dc7e1bb73cbf97258689c1aadae60
SSDeep: 12:8z3teXxrf3BPUCbkg8Gi4NRpmB03+yGtV2/oViU:8C3UCbfi67mKgthkU 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateUx.001.etl.RYK 4.28 KB MD5: f6b31d51048fed7ba59160a38d5e07e6
SHA1: 7b12ae7962727df8dc36db1939cf4500637f4342
SHA256: bd8b9742622f1d455a8175361be62d5e651e894e989589da1c39a6dbf1bb411d
SSDeep: 96:wJ+rbeG7NnrU2esTbEE08bpfBsfC4zdNcYC6LglZvTL:wJ+PemnrU2/dIRZNPLAZ3 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\13719.RYK 0.41 KB MD5: 16629377b5a94cdd9b3d98f037602052
SHA1: a9295a2d8bbf3457b89b4a3212453c76e9a85bbe
SHA256: c0c667575364bf1358461875701582b6ade8262273b7c26f1e949527df415bae
SSDeep: 12:ZRt9j079DuS2C8T11cp5TqUZXVj0GFHpvB1sIXmtY6AK:vtm7AC8hy/TPoGHpvDIll 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.png.RYK 5.55 KB MD5: dc9d598ac7d385a1fbe0745d28b10d61
SHA1: c26524eb0d47124b922d4be871be1bf009940559
SHA256: 2b9af43c29a46b9f18639d6eea67f19421f9ea7ba52b5fd66d1ae8b5afa2e8f3
SSDeep: 96:ZPnmsSCRAjO+QvtkX/93WX6i6tVaAA+9diVXjdpoDcIi0+PzAJTMAQZH1:ZPmsSCL+0tkX/TVDAssdi4IiZkqn1 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business 2016.lnk.RYK 2.67 KB MD5: dadcab4f2d62aa7dee9c6233bc3f2d7d
SHA1: 56b52f6528f03d00c9edb5818d349bd83fefff45
SHA256: 9e80b0b02bf184f8bd6bddd7ec897b0f90e37c8c5e74f42be53fe59164d934e2
SSDeep: 48:0wt2NEgBpV7J1DHhP6Ps+lai3ofCXmDlylni5T9sa6J+hY9Kv+g4atH+T:0k2NpptJ1DBPAN3o1RB6J+hiKvRDH+T 		False
...
c:\programdata\microsoft\windows\start menu\programs\accessories\desktop.ini 1.72 KB MD5: 9d73e3e0fcb57986c4506c1608e9cddd
SHA1: 910e535fef6df19c696f84edbe77f790b604e1ab
SHA256: a1c87a28e984d70f876a6317b5cfcd94710a8ead65f305718ff0e68334bfc0c4
SSDeep: 48:2IDmza/PABPpoP+IMpvG1g/JaxZGGHmyx9J4KAZzeGjI808nGn:2wX/Pf5evG1+afXH3xY7zeSRnGn 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.011.etl.RYK 16.28 KB MD5: 15e51f38bb0b0f6f0ca4875de80557bf
SHA1: bd722b2bacf6e097889247e3d6fb478706aa4821
SHA256: b8df085680a67c24fe3064d71e51006c3bd496ebc60f74bfc20b9822bae75dd4
SSDeep: 384:dXevRGlbjc5Ft1qm1kIw/3EX4BQ5oO0n4XTfeENPuajfK3t9w8gr2U5uE/wj:iRGlbI5Ftcm12/AcQ5RNPuqK3t9lvQud 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol.RYK 0.71 KB MD5: ba64bdfddad8bf4721be2dc57fb77de0
SHA1: 1632cb63d65b095f74c1670484a7c026200f174e
SHA256: 4bf14efd5818d594c0f88a4ee9da20a8a54b471a6a9fcb3f45632a6ba1330d53
SSDeep: 12:gTJTVMeaPQzbgv9Q6020kIsj6rqmn/YVst9QXF5SdMQSzfIIvfWndrO2:gVTVWPoa30P66rqxVPXF2SvfAJf 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\13\278.RYK 0.41 KB MD5: 3b7279680dd7a38b4bfcca2d70e7a812
SHA1: d82b3d5f831add1a7d203be79e46c3936df2bf7e
SHA256: c837b1e0372246de6629150b345661b6d06fe8a65f73bc962c55e7e541dc98fd
SSDeep: 12:uBCvzAVfoeyHLtyfwVNQPqTLFuZ5HiRgGMv:FvzAanZx0PyiYZY 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.020.etl.RYK 8.28 KB MD5: bc043d2fccc190d2d5c40efb060ee89d
SHA1: e81b38709f1b60e2e6f7a994afb90b2ccb94abac
SHA256: da16e527e3633b6d6002454d115d6fa4d987d156a873b97c1b6d2f890825a3f9
SSDeep: 192:dwAiKg5tZoTN4fnExA2Ll12/o1vs2SZhiv:dE5DoG8532/WvsbZhM 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Steps Recorder.lnk.RYK 1.35 KB MD5: e2d8cf8a721eda3bbdc113e83015b6ae
SHA1: e8150d86de41d794e49366d8aa8eb897e37cbaa4
SHA256: 0282e9d247eaf1021f9324e1cfb84c4ebe24ae238395556bb87b5faff136ae42
SSDeep: 24:ZHKGIfEg8pAwq7RuZdfOt7ZT62nWHdgcM1FYqJgJ54lJ40vKRrQ:lKGIf/6q7RuZdfOt7ZWHdM16qJoUJ40F 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\12\194.RYK 0.41 KB MD5: d1829709b2a4ca0746b5d8a5605360b0
SHA1: e54ef11845a1c45d8eea455070e275d37b241a90
SHA256: f53b785d1f9fbabd842eda7614949db17b478235ce4bb3f077b774b7e99a4f8e
SSDeep: 6:9a5/GEjpDYMGz1YBsV6UaZCD1LK0VE93DEeeybyA+grIvB81gc/rMZb66CyBiB7N:45uwDYpJPaMRO0VE9z1V0gFKD2FxwW 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini.RYK 1.27 KB MD5: 2537892918d7199c5da36c1080ba8156
SHA1: 595c192d66e4bd333fee720c1301bd4dff1baed0
SHA256: b25cd65acde02d8cfbb3c57d69fe7da963d5807138b6fbf808580d31daf4d8bc
SSDeep: 24:F8DrxCyEX3f1DKj16VP4umufSMhgicfcqdlJiK+ojqcI8pQzx:mDrxpEXahqRhbMcqdlMKbj28pcx 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel 2016.lnk.RYK 2.64 KB MD5: 941435c209d1b2ce23836922fbf47ef5
SHA1: b9f9dd8f20bc6febeff1f0c89216ee61aadc24ef
SHA256: 884cf1584b538e350a5ad025ec584bc77cecc569a65b31a37bf0178391e60504
SSDeep: 48:RWDHoQEXbJIeWaqAjV/RSh0RceJbbDrX67dWyuAzhWyPfVj2vmW++9YRtzq17a4L:aHojXkojV/RFJP6zuAEy3Vj2vmW14zqT 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\02\303.RYK 0.44 KB MD5: 901ce2745769f7d463250004ada87611
SHA1: 61567b2d05b770be674fbba0a1e51d9190b09387
SHA256: 21888eafef2ee35dc4f7a4006c7d2ea42d5dd84e7a210b0e9017455a4eb2b24c
SSDeep: 6:mw/WlGntjCDnZz1VSaZJ/irSlL9pR4SDYujyWSZjqbz26n+fGdQab+eB7Yk+Vjpf:mECdz1oKkELlDFjyVZ5GtJV8BFPiiB 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\13712.RYK 0.41 KB MD5: a408a70a5d84c5d1775cf8ece49659cd
SHA1: 761936a12d8240187cb06a5c7a596e978ad897d4
SHA256: 15ecaf804ae42095f5479def1db9f9c93d48729b8fea7b8a57faf3898827f842
SSDeep: 6:iGJ9d+Dy7SAHRhJBeMUKLCyC3cSLB5sur6bDvrOEit85Gh0Ds+dXL6tD7EPIIeAA:L9dcyXJ7L+cS1yTbnXimchqWvDAohr 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Pending.GRL.RYK 14.89 KB MD5: 4166a57d648b1ae6d93819ec7fcee4b3
SHA1: 20ac87c46d47750973eed98138cdc10a0e20b9d8
SHA256: 29d9f584cd15b229543fd2b520fdcee4aa5a4f019f69404f5a102e1bbb50f381
SSDeep: 384:BSDeLMjt3p3lpZsIwjm+msafWMCe9H/TgeQG:BSyIZLpuIya+MTRTUG 		False
...
c:\programdata\microsoft\windows defender\scans\history\mput\mputhistory\18\195 0.41 KB MD5: d29212e8035f242ccf3916c775726a0a
SHA1: 0fcf37b0925518d6296ae4f366ddefc405e9c37a
SHA256: 33a21897d7b080fd363c74644483ef989ab1760fbe0d02984ccd6b553ab3b76f
SSDeep: 12:YAgQr3WDS5RUW40kmvKNfyrJp5k7RbeH7D9suw:dgQLWDsRE0HvJpuRg7Jsuw 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Visio 2016.lnk.RYK 2.67 KB MD5: b7be268e438942f1279a58ad96ca07a9
SHA1: 438b5da31a715de40197606bb1f50609e98eb439
SHA256: 9a1126a79526c97299abd89ad22a17c5bf3d6fca541f8da1bb075b0d8ee7c412
SSDeep: 48:jGrvctbfhF4rOsyeKmLUU/KfJlY8Jd5vsY2a9hV/UAAgnoEaP:jgv8bZFzeKmLUU/Kfk8Jd5vskT8AAhEY 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini.RYK 0.64 KB MD5: 6e7ba2db7c4808a0a3b1ad8c91efa697
SHA1: 3f9d82a54cb8e4b7fdbd2de5d97073f68b28abd9
SHA256: aae9463e92bded0f9cbb98f8793215459f8a9dd9b2484563348157d36fc664c9
SSDeep: 12:EoCLD553ZI/QZH1cLRxT+FzgXaadXLGWTrcmUZhK1MkwBeFvMZTP2/o3YPn+gqdd:EoCDjpIIZePwcD5Ic1M3wQ1DPn6W 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.001.etl.RYK 16.28 KB MD5: 074708ca4ffeac99b6d215fc149c2e8f
SHA1: dfa6daaa8286e24f8b99cf8842b7862e4ad00c67
SHA256: 1230a5659c9f3dc00daef3d86806526dbeef1c5a31cacfdd914fcc13eda29019
SSDeep: 384:LLqsUZ6Y3/hZvu62rIxCN+DlthSeCq31g0ikJr4ron:asLcPv928xkqltopOg10V 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.003.etl.RYK 16.28 KB MD5: 6d0a9983a7cdf21f9dd78e820c5b3399
SHA1: 888d466efed748d160b61647ad126781d3130ab4
SHA256: 99fee1f76ee55272a24605715428a6e3b78ac5a969e695c484d104387f0128be
SSDeep: 384:QRPAZVycdrj+d/Vps5QfqRaeFyump//2S+ouLgnwKobwzkhFb+:QR4ZVvrj+KWC89rN1obOO+ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint 2016.lnk.RYK 2.67 KB MD5: fb16b0d4acc55850b0b577f266e77bdb
SHA1: a26e769058b0eff1274f3455832ddeb3d21dc605
SHA256: 200a55dabd137bbbc64d3b4b070b547fad2ae0dcbf53548ffd60391cbbb8935a
SSDeep: 48:t7LyzxrxMxodnI5uAhryU53VugN4PKfRsLY4DFXzW3tdN4OnsPhXS7cUbPMQ1zGt:tXmxrTnI5uAhryU5sgNq4aE4DFwXiOn8 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.012.etl.RYK 16.28 KB MD5: 4efc3f631fa0dd5b733e55c72b61682e
SHA1: f5c9e94c477f3b73f797b57c3ecd5ff91c5dc6a1
SHA256: 7fd7d67b9956145ad4ab5c8a194271bc1e9fd30ad4d9a80f3fc1f8fc7916259e
SSDeep: 384:iBV5lO00Z1nxNs4vS7MQk/ROAv0R6HBQVJE+m3SttYgyj:QVrOflxNMfkZOAv0R6aTm3S0P 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedScenarios\Windows.Uif.static.RYK 2.83 KB MD5: d95dbdc7b04017dac69277df7bcb6934
SHA1: 0063c40724000b62c0b42b8996f65cc53706366f
SHA256: ae40988eec27609522db4088af525cdae1a210ac33911c73a82e1af9b83c4d5d
SSDeep: 48:vCQZveDNsmHbULbKZEJSkVCSxPRxLdz/jYPJbgaAw8g8nQVmmuaEQlVmS+dwF7m:vpRWmmQLiEJrVCSNrdzbYxb1A0cMm7aS 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Project 2016.lnk.RYK 2.69 KB MD5: fba191943805071e529d043c5c9598ac
SHA1: cec304f4e94b4c1821d2aa5408b191ed8bdb55d3
SHA256: 1dae1e5f9ac0da32b2999d7e273056c3cb2877485904b27c224dc480b8320b94
SSDeep: 48:qVA+yvxqI1bbFJOMQdLuJEUqXLgHY8lA3i7ZUVBQpPdTLTrfYGDX7a9O:VxqI1bJYM2y4gHYsZUV2pVf/Y+UO 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Configure Java.lnk.RYK 2.30 KB MD5: ce96b3a4304ca2f0f3e7ca2fb06f7d7f
SHA1: 6f25ebd533de94dc550850ed2a7d1c8b73123a36
SHA256: 1c97619b06a54681c47c6ce1940f592d1cd97fda12cf6700a650b23b4af8bb8c
SSDeep: 48:X8KaI1dboEpeZXOk7Ef6CTS0HlGj6e6u3nNXOARVCzYSz1zSP2h6FnD:I2q8eZXOk46CGAGjn64nsQUUSpzAhN 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher 2016.lnk.RYK 2.63 KB MD5: 2f467b4825348af8c098b49ae54fac18
SHA1: 5209fae69711fb4d28ba013feea0bc19ddbf36b5
SHA256: c7cba9d2b589203763fd354736c9b95abc6b9d5ea5d30d05ef7d0d710bf17bc5
SSDeep: 48:XVuGOhfjw+/I+qDVnxqVV5cjM9IrlfRg1o7dVsiWzcjSV8O265SfmZ17I4C3bUfp:XVWfjw+J+BkV5clrlaM3JOOO265SfmZr 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.013.etl.RYK 16.28 KB MD5: 3f3e437904352274ee04e77806b073d1
SHA1: 478e9718fdfe416e122f4cac6ca800ed4f74ac23
SHA256: 18987e544c4f22c4364236bc961245864cba310b4cbdb49781d1f7f4ab84e8af
SSDeep: 384:5ww4ZjkNq/bNrYYxGGgwgfE5UzurfsT2WV:5wwUjxtxOAUpHV 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.017.etl.RYK 16.28 KB MD5: b651be5e48f96a5b537116e7d102655f
SHA1: 4b6225a32cd2449317094501f6fba0c0c3484591
SHA256: 0b620bf3989e4b9579d1fa33e443b945abbcde73c55c6107ec27676c9a5af0c5
SSDeep: 384:jgZwUJsJ2jf2QhRzWC+x41RmvQujiGXMGG5aeTgX2Ne+kNlUj/hjn:jtUJ3jhRzWC+x41E1jjXzuaig8e+YUjd 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\2\90\B6D0EAFA5E8634A6.dat.RYK 0.72 KB MD5: 0c9911ab0d61cf15d56481bcbd1a3307
SHA1: 6535a9fa8ae53be7ef71745f44a2833e4387cf68
SHA256: f3a1eba5221cf634ae216246c1a23e898064cea32eed25397062273c4f308dbb
SSDeep: 12:xVhgDQgjiDDyc0tNksm0rdxIduDYKCoV1w4xzkO2uJGcud9my2LqyN8ykPIubWHF:XhgHiDDyesHvrYKpw4xyrTmy2LqyN8yJ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\Acrobat Reader DC.lnk.RYK 2.36 KB MD5: b5c56285c8098b635a5fe0ae1e624a8a
SHA1: f6d6b5c46482b27254f345af10e3125a9fd94e11
SHA256: d8e97b14831ab30f0d0a8462d65fc0f1c9584ffc22242b6e4606d4ace2ac1a08
SSDeep: 48:snVspFnMOCkXLn+BPjBSdx/mk74FaOZLW2ATCBc9IvylR4mmhKR1iUrTYffo:aVUFMqyjkt12AOB6Iv+ghAo0Yfg 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel.lnk.RYK 2.64 KB MD5: f6bdd77e459b382cbaee3c6d66326748
SHA1: c91915111ad17e78d239373178ae83153294de3f
SHA256: 48fdb0fce2d2d0d2c8ee8354daecf442d2f89ab54a7512e048b0302e3ac8efe8
SSDeep: 48:kcxJX+BDREyjOOCec0DTLCfeJGlD8abwHMH8f8Vdulgk1mRV5zc+wPduiAAVc:kgXw9djOOCevDTIeJGlDN2MHwsKUzYdQ 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\2\0000000000000000.idx.RYK 0.36 KB MD5: d05f09df17049de669fd783e03219443
SHA1: 60a991dce4ee9fff81e0fe7900b4f2e2436b9dcf
SHA256: c66deab773875f5deba7146a58d00912f458a3f59003f8fab978d5a4d2395d24
SSDeep: 6:56/+8HAFQq+L0Voifmz2t+cWz9IoPLnYeb2Vjseud1czDQ1eihlsFkgEBD/Lovgj:e+OAFQq+Lefc2xWz9REeb2VL+WMDh+Fe 		False
...
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini.RYK 0.44 KB MD5: a0bbb0c1fc1c8cd7f5055792759560d9
SHA1: 8fee8af6a2e34f05ae569f51bd57ac266b3a8236
SHA256: 2df00c445644c90dbb5eb39058e9bd1310648181d632fc237a6cb4ec0c18aa25
SSDeep: 12:sqYEPvZzMeHTlzN6L7f1SwV02coc/fYZfb:sqVZzLHTqdF+Qb 		False
...
Host Behavior
File (7847)
»
Operation Filename Additional Information Success Count Logfile
Create C:\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\BCD.LOG2 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\BCD.LOG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\BCD.LOG1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\BCD desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\bg-BG\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\BOOTSTAT.DAT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\cs-CZ\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 38
Fn
Create C:\Boot\da-DK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\de-DE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\el-GR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\en-GB\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\es-ES\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\es-MX\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\et-EE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\fi-FI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\Fonts\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\fr-CA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\fr-FR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\Fonts\wgl4_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\chs_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\hr-HR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\hu-HU\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\Fonts\cht_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\segoe_slboot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\it-IT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\Fonts\segmono_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\msyh_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\jpn_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\ja-JP\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\Fonts\kor_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\segoen_slboot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\msyhn_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\ko-KR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\Fonts\msjh_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\msjhn_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\meiryo_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\meiryon_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\malgunn_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\lt-LT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\Fonts\malgun_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\lv-LV\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\nb-NO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\nl-NL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\pl-PL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\pt-BR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\pt-PT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\qps-ploc\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\Resources\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\Resources\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\Resources\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\ro-RO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\ru-RU\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\sk-SK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\sl-SI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\sr-Latn-CS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\sr-Latn-RS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\sv-SE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\tr-TR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\uk-UA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\zh-CN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\zh-HK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\zh-TW\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Boot\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Config.Msi\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\BOOTSECT.BAK desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\BOOTNXT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\bootmgr desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 6
Fn
Create C:\Documents and Settings\All Users\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Adobe\ARM\S\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 6
Fn
Create C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Adobe\ARM\S\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 6
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 6
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 6
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 6
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 6
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 4
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 5
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 6
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 3
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 6
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 3
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 6
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 7
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 7
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\Acrobat Reader DC.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 4
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 27
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DataMart\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DeviceSync\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\Server\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MapData\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WDF\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Live\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WinMSIPC\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WwanSvc\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 5
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Active.GRL desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Pending.GRL desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\.oracle_jre_usage\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\installcache_x64\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\javapath\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\javapath_target_5923062\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 19
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{3c3aafc8-d898-43ec-998f-965ffdae065a}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{e52a6842-b0ac-476e-b48f-378a97a67346}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 6
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\SoftwareDistribution\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\UpdateStore\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.001.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.002.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.003.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.004.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.005.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.006.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.007.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.008.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.009.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.010.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.011.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.012.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.013.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.014.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.015.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.016.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.017.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.018.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.019.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.020.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.021.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateUx.001.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 9
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\Acrobat Reader DC.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 26
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\8C296B8E-6699-457C-9415-3D0647E1D775\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\9D76938C-943D-439F-A135-26D02821EE05\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 4
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 3
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\Catalog\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\Integration\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\ProductReleases\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\UserData\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 5
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.0.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.1.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.2.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\MachineKeys\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\Keys\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\PCPKSP\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\PCPKSP\WindowsAIK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_427a1946-e0ff-4097-8c9e-ca2c1e22780b desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\S-1-5-18\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\S-1-5-18\4eccd106f69e31c1b12304e5463bb71d_427a1946-e0ff-4097-8c9e-ca2c1e22780b desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\SystemKeys\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DataMart\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DataMart\PaidWiFi\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DataMart\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\SystemKeys\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 3
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 3
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 3
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DeviceSync\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 4
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\AsimovUploader\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedScenarios\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 3
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\AutoLogger\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events00.rbs desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events01.rbs desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events10.rbs desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\LocalTraceStore\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 4
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\parse.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events11.rbs desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Sideload\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Siufloc\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\SoftLanding\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\SoftLandingStage\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\Server\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\Views\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\Views\ApplicationViewsRootNode\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\INT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\temp\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MapData\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\BreadcrumbStore\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Active.GRL desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Pending.GRL desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Connections\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\qmgr0.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\qmgr1.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\ClickToRunPackageLocker desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 14
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\countrytable.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\Administrator.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\CIiHmnxMn6Ps.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-192.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-32.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-40.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-48.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WDF\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 18
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 5
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\GenuineTicket\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Import\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Install\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataCache\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataStore\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceSoftwareUpdates\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DRM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DRM\Cache\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DRM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\GameExplorer\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\LfSvc\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\LfSvc\Geofence\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Parental Controls\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Power Efficiency Diagnostics\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\SleepStudy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 3
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\Manifest\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\Sessions\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\Upload\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Templates\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 3
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\ReportArchive\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\ReportQueue\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\Temp\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 9
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Clean Store\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Features\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\LocalCopy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Network Inspection System\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Quarantine\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 6
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\CleanFileTelemetry\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\CleanStore\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.67 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.7E desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.80 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.87 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.A0 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.CB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\RtSigs\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Support\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.CC desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.VE0 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.VE1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.VF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MpDiag.bin desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Live\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Live\WLive48x48.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 7
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\Inbox\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\Queue\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\SentItems\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WinMSIPC\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WinMSIPC\Server\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WinMSIPC\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WwanSvc\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WwanSvc\DMProfiles\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WwanSvc\Profiles\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WwanSvc\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\setup\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 4
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\setup\refcount.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\.oracle_jre_usage\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\installcache_x64\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\javapath\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\.oracle_jre_usage\17dfc292991c7c24.timestamp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\installcache_x64\baseimagefam8 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\javapath_target_5923062\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 18
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{3c3aafc8-d898-43ec-998f-965ffdae065a}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{e52a6842-b0ac-476e-b48f-378a97a67346}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\SoftwareDistribution\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 3
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 3
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Math Input Panel.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Paint.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Snipping Tool.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Steps Recorder.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Sticky Notes.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Fax and Scan.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Media Player.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Wordpad.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\XPS Viewer.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Acrobat Reader DC.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Immersive Control Panel.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 3
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access 2016.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\About Java.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Check For Updates.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Configure Java.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Visit Java.com.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneDrive for Business.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint 2016.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher 2016.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business 2016.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Tablet PC\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Default Programs.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Task Manager.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel 2016.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Visio.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PrintDialog.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneNote 2016.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Project.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Devices Flow.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\UpdateStore\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.001.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.002.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.003.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.004.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.005.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.006.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.007.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.008.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.009.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.010.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.011.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.012.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.013.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.014.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.015.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.016.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 3
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 3
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.017.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.018.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.019.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.020.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.021.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\8C296B8E-6699-457C-9415-3D0647E1D775\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\9D76938C-943D-439F-A135-26D02821EE05\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 4
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateUx.001.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Project 2016.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.2.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.1.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.0.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini.RYK desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini.RYK desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini.RYK desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini.RYK desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\Acrobat Reader DC.lnk.RYK desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Search.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word 2016.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\Catalog\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\Catalog\Packages\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\Integration\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\Integration\ShortcutBackups\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\ProductReleases\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\ProductReleases\46750A92-D768-415D-ABAC-A9B18903B159\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\ProductReleases\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\UserData\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 8
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\MachineKeys\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 4
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\Keys\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\PCPKSP\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\PCPKSP\WindowsAIK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Visio 2016.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\PCPKSP\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook 2016.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Desktop.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\MiracastView.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\S-1-5-18\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access.lnk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_427a1946-e0ff-4097-8c9e-ca2c1e22780b desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\S-1-5-18\4eccd106f69e31c1b12304e5463bb71d_427a1946-e0ff-4097-8c9e-ca2c1e22780b desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\SystemKeys\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\SystemKeys\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DataMart\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DataMart\PaidWiFi\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DataMart\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DeviceSync\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\AsimovUploader\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 3
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedScenarios\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedScenarios\Windows.Uif.static desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\cfc.flights.json desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.bk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\utc.app.json desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\AutoLogger\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\LocalTraceStore\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events00.rbs desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events01.rbs desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events10.rbs desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events11.rbs desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 4
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Sideload\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\parse.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Siufloc\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\SoftLanding\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\SoftLandingStage\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\Server\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\Views\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\Views\ApplicationViewsRootNode\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\Views\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 3
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\INT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\temp\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 3
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MapData\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Active.GRL.RYK desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Pending.GRL.RYK desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\BreadcrumbStore\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 9
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Connections\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\qmgr1.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\qmgr0.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 13
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\ClickToRunPackageLocker desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\countrytable.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 4
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\Administrator.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\CIiHmnxMn6Ps.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-192.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WDF\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 15
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-32.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 78
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.AAD.BrokerPlugin_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.AccountsControl_10.0.10240.16384_neutral__cw5n1h2txyewy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BioEnrollment_10.0.10240.16384_neutral__cw5n1h2txyewy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.LockApp_10.0.10240.16384_neutral__cw5n1h2txyewy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftEdge_20.10240.16384.0_neutral__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.AssignedAccessLockApp_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.CloudExperienceHost_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ContentDeliveryManager_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Cortana_1.4.8.152_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ParentalControls_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedback_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\windows.devicesflow_6.2.0.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 4
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\Apps\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-40.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-48.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\GenuineTicket\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Import\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Install\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Install\Apps\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Install\Migration\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Install\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataCache\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataCache\dmrccache\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataCache\dmrccache\downloads\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataCache\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataStore\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataStore\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataStore\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceSoftwareUpdates\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DRM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DRM\Cache\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DRM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\GameExplorer\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\LfSvc\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\LfSvc\Geofence\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\LfSvc\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Parental Controls\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Parental Controls\settings\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Parental Controls\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Power Efficiency Diagnostics\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\SleepStudy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 3
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\Manifest\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\Sessions\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\Upload\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 9
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessibility\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 3
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Administrative Tools\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Java\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Maintenance\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\StartUp\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\System Tools\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Tablet PC\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini size = 176 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini size = 6 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini size = 268 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini size = 288 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini size = 6 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini size = 268 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini size = 384 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini size = 6 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini size = 268 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini size = 1299 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini size = 384 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini size = 6 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini size = 268 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini size = 384 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini size = 6 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini size = 268 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini size = 176 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini size = 6 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini size = 268 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini.RYK size = 1392 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini.RYK size = 6 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini.RYK size = 268 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini.RYK size = 1299 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini size = 384 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini size = 6 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini size = 268 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini size = 1299 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini size = 1488 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini size = 6 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini size = 268 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini size = 192 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini size = 6 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini size = 268 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini size = 2608 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini size = 6 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini size = 268 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini.RYK size = 2464 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini.RYK size = 6 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini.RYK size = 268 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini size = 176 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini size = 6 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini size = 268 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini size = 176 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini size = 6 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini size = 268 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini size = 464 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini size = 6 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini size = 268 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini size = 96 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini size = 6 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini size = 268 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini size = 1299 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini.RYK size = 1299 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini.RYK size = 1299 True 1
Fn
Data
Write C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\MasterDatastore.xml size = 272 True 1
Fn
Data
For performance reasons, the remaining 4004 entries are omitted.
The remaining entries can be found in glog.xml.
Process (116)
»
Operation Process Additional Information Success Count Logfile
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 35
Fn
Open System desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\sihost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\runtimebroker.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows multimedia platform\commands-xerox-relationship.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\internet explorer\entities.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\adobe\explaining.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows photo viewer\ham.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows portable devices\hatsvegetablecontrollers.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windowspowershell\protein-senators-ev.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windowspowershell\character-collecting-vb.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\internet explorer\business-acrobat.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\common files\cowboy.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\uninstall information\ncstatementsinventory.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows sidebar\castlethatssystems.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows journal\use-sweden-decorative.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\mozilla firefox\se-viii-pipes.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\common files\watershed_morocco.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows journal\larry managers.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows portable devices\helpful.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\microsoft office\coast-domains.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows mail\andy-aerial-spain.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows media player\security females ward.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windowspowershell\rw_monica.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\microsoft office\root\office16\msoia.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\sppsvc.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\sihost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\runtimebroker.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows multimedia platform\commands-xerox-relationship.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\internet explorer\entities.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\adobe\explaining.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows photo viewer\ham.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows portable devices\hatsvegetablecontrollers.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windowspowershell\protein-senators-ev.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windowspowershell\character-collecting-vb.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\internet explorer\business-acrobat.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\common files\cowboy.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\uninstall information\ncstatementsinventory.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows sidebar\castlethatssystems.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows journal\use-sweden-decorative.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\mozilla firefox\se-viii-pipes.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\common files\watershed_morocco.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows journal\larry managers.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows portable devices\helpful.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\microsoft office\coast-domains.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows mail\andy-aerial-spain.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows media player\security females ward.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windowspowershell\rw_monica.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\microsoft office\root\office16\msoia.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Thread (6)
»
Operation Process Additional Information Success Count Logfile
Create c:\windows\system32\sihost.exe proc_address = 0x7ff6d3e72870, proc_parameter = 140698093813760, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x7ff6d3e72870, proc_parameter = 140698093813760, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create c:\windows\system32\runtimebroker.exe proc_address = 0x7ff6d3e72870, proc_parameter = 140698093813760, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe proc_address = 0x7ff6d3e72870, proc_parameter = 140698093813760, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe proc_address = 0x7ff6d3e72870, proc_parameter = 140698093813760, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create c:\windows\system32\svchost.exe proc_address = 0x7ff6d3e72870, proc_parameter = 140698093813760, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Memory (33)
»
Operation Process Additional Information Success Count Logfile
Allocate c:\windows\system32\sihost.exe address = 0x7ff6d3e70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x7ff6d3e70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 True 1
Fn
Allocate c:\windows\system32\runtimebroker.exe address = 0x7ff6d3e70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 True 1
Fn
Allocate c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe address = 0x7ff6d3e70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 True 1
Fn
Allocate c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe address = 0x7ff6d3e70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 True 1
Fn
Allocate c:\program files (x86)\windows multimedia platform\commands-xerox-relationship.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 False 1
Fn
Allocate c:\program files (x86)\internet explorer\entities.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 False 1
Fn
Allocate c:\program files (x86)\adobe\explaining.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 False 1
Fn
Allocate c:\program files\windows photo viewer\ham.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 False 1
Fn
Allocate c:\program files\windows portable devices\hatsvegetablecontrollers.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 False 1
Fn
Allocate c:\program files (x86)\windowspowershell\protein-senators-ev.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 False 1
Fn
Allocate c:\program files (x86)\windowspowershell\character-collecting-vb.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 False 1
Fn
Allocate c:\program files\internet explorer\business-acrobat.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 False 1
Fn
Allocate c:\program files\common files\cowboy.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 False 1
Fn
Allocate c:\program files\uninstall information\ncstatementsinventory.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 False 1
Fn
Allocate c:\program files\windows sidebar\castlethatssystems.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 False 1
Fn
Allocate c:\program files\windows journal\use-sweden-decorative.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 False 1
Fn
Allocate c:\program files (x86)\mozilla firefox\se-viii-pipes.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 False 1
Fn
Allocate c:\program files (x86)\common files\watershed_morocco.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 False 1
Fn
Allocate c:\program files\windows journal\larry managers.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 False 1
Fn
Allocate c:\program files\windows portable devices\helpful.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 False 1
Fn
Allocate c:\program files\microsoft office\coast-domains.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 False 1
Fn
Allocate c:\program files (x86)\windows mail\andy-aerial-spain.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 False 1
Fn
Allocate c:\program files\windows media player\security females ward.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 False 1
Fn
Allocate c:\program files (x86)\windowspowershell\rw_monica.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 False 1
Fn
Allocate c:\program files\microsoft office\root\office16\msoia.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 False 1
Fn
Allocate c:\windows\system32\svchost.exe address = 0x7ff6d3e70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 True 1
Fn
Write c:\windows\system32\sihost.exe address = 0x7ff6d3e70000, size = 3760128 True 1
Fn
Write c:\windows\system32\taskhostw.exe address = 0x7ff6d3e70000, size = 3760128 True 1
Fn
Write c:\windows\system32\runtimebroker.exe address = 0x7ff6d3e70000, size = 3760128 True 1
Fn
Write c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe address = 0x7ff6d3e70000, size = 3760128 True 1
Fn
Write c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe address = 0x7ff6d3e70000, size = 3760128 True 1
Fn
Write c:\windows\system32\svchost.exe address = 0x7ff6d3e70000, size = 3760128 True 1
Fn
Module (124)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x7ffc55040000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x7ffc55040000 True 2
Fn
Load advapi32 base_address = 0x7ffc57aa0000 True 1
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x7ffc55040000 True 1
Fn
Load kernel32.dll base_address = 0x7ffc55800000 True 1
Fn
Load mpr.dll base_address = 0x7ffc53810000 True 1
Fn
Load advapi32.dll base_address = 0x7ffc57aa0000 True 1
Fn
Load ole32.dll base_address = 0x7ffc57750000 True 1
Fn
Load Shell32.dll base_address = 0x7ffc559d0000 True 1
Fn
Load Iphlpapi.dll base_address = 0x7ffc51c50000 True 1
Fn
Get Handle c:\users\public\mksmd.exe base_address = 0x7ff6d3e70000 True 27
Fn
Get Filename - process_name = c:\users\public\mksmd.exe, file_name_orig = C:\users\Public\MKSMD.exe, size = 260 True 2
Fn
Get Filename - process_name = c:\users\public\mksmd.exe, file_name_orig = C:\users\Public\MKSMD.exe, size = 100 True 1
Fn
Get Address c:\windows\system32\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x7ffc55093900 True 2
Fn
Get Address c:\windows\system32\kernelbase.dll function = FlsAlloc, address_out = 0x7ffc550a4580 True 2
Fn
Get Address c:\windows\system32\kernelbase.dll function = FlsSetValue, address_out = 0x7ffc55092900 True 2
Fn
Get Address c:\windows\system32\advapi32.dll function = EventRegister, address_out = 0x7ffc57b88ff0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = EventSetInformation, address_out = 0x7ffc57b5e180 True 1
Fn
Get Address c:\windows\system32\kernelbase.dll function = FlsGetValue, address_out = 0x7ffc55088e40 True 1
Fn
Get Address c:\windows\system32\kernelbase.dll function = LCMapStringEx, address_out = 0x7ffc5505a930 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x7ffc55822080 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x7ffc55816060 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualFree, address_out = 0x7ffc5581bc10 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptExportKey, address_out = 0x7ffc57ab7b50 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileW, address_out = 0x7ffc558257a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDriveTypeW, address_out = 0x7ffc558258f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineW, address_out = 0x7ffc55820150 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x7ffc5581ed80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileW, address_out = 0x7ffc55825880 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x7ffc5581baf0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7ffc57acec40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x7ffc5581ef50 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64RevertWow64FsRedirection, address_out = 0x7ffc558436a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessA, address_out = 0x7ffc5581d5b0 True 1
Fn
Get Address c:\windows\system32\iphlpapi.dll function = GetIpNetTable, address_out = 0x7ffc51c6f0b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExW, address_out = 0x7ffc5581aa30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64DisableWow64FsRedirection, address_out = 0x7ffc55843690 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemDefaultLangID, address_out = 0x7ffc55822ba0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameW, address_out = 0x7ffc57abda40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x7ffc55825a90 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7ffc57ab7dd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x7ffc55825510 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegSetValueExW, address_out = 0x7ffc57ab7850 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7ffc57ab72e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileA, address_out = 0x7ffc5583e430 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesW, address_out = 0x7ffc55825b00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WinExec, address_out = 0x7ffc55841e60 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDeriveKey, address_out = 0x7ffc57ad07a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGenKey, address_out = 0x7ffc57abcab0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Sleep, address_out = 0x7ffc55818f00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x7ffc55816580 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteW, address_out = 0x7ffc55b1abc0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x7ffc55825950 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x7ffc5581b810 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x7ffc558257c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForMultipleObjects, address_out = 0x7ffc558256e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x7ffc55820c70 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x7ffc55bd7de0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x7ffc5581e6d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameW, address_out = 0x7ffc5581eca0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x7ffc55825760 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSizeEx, address_out = 0x7ffc55825960 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x7ffc55825b80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalDrives, address_out = 0x7ffc558166d0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetEnumResourceW, address_out = 0x7ffc538127d0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExW, address_out = 0x7ffc57ab6cb0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetCloseEnum, address_out = 0x7ffc53812e20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x7ffc55822940 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesA, address_out = 0x7ffc55825af0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7ffc57ab7d70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x7ffc55825b20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount, address_out = 0x7ffc558160a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesW, address_out = 0x7ffc55825930 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileW, address_out = 0x7ffc55825840 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextW, address_out = 0x7ffc57ab89e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MoveFileExW, address_out = 0x7ffc55823010 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetOpenEnumW, address_out = 0x7ffc53812f20 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7ffc57763870 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDecrypt, address_out = 0x7ffc57ab9140 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptImportKey, address_out = 0x7ffc57ab7b40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x7ffc55825b30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileW, address_out = 0x7ffc55825d70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x7ffc5581eb90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessW, address_out = 0x7ffc5581dee0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateDirectoryW, address_out = 0x7ffc55825740 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThread, address_out = 0x7ffc5581bc20 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyKey, address_out = 0x7ffc57ab86b0 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7ffc57257000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x7ffc55825770 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x7ffc55825900 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptEncrypt, address_out = 0x7ffc57abd7e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteValueW, address_out = 0x7ffc57ab90b0 True 1
Fn
Service (105)
»
Operation Additional Information Success Count Logfile
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
User (2)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
System (106)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 2
Fn
Sleep duration = 500 milliseconds (0.500 seconds) True 27
Fn
Sleep duration = 150 milliseconds (0.150 seconds) True 37
Fn
Sleep duration = 50000 milliseconds (50.000 seconds) True 35
Fn
Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 2
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #3: sihost.exe
86 0
»
Information Value
ID #3
File Name c:\windows\system32\sihost.exe
Command Line sihost.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:02, Reason: Injection
Unmonitor End Time: 00:02:30, Reason: Crashed
Monitor Duration 00:00:28
OS Process Information
»
Information Value
PID 0x704
Parent PID 0x324 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 728
0x BF8
0x 968
0x 490
0x 7CC
0x 7C8
0x 7BC
0x 7B0
0x 7AC
0x 774
0x 770
0x 76C
0x 708
0x C34
0x CB0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
pagefile_0x0000001e5f0d0000 0x1e5f0d0000 0x1e5f0dffff Pagefile Backed Memory rw True False False -
private_0x0000001e5f0e0000 0x1e5f0e0000 0x1e5f0e6fff Private Memory rw True False False -
pagefile_0x0000001e5f0f0000 0x1e5f0f0000 0x1e5f103fff Pagefile Backed Memory r True False False -
private_0x0000001e5f110000 0x1e5f110000 0x1e5f18ffff Private Memory rw True False False -
pagefile_0x0000001e5f190000 0x1e5f190000 0x1e5f193fff Pagefile Backed Memory r True False False -
private_0x0000001e5f1a0000 0x1e5f1a0000 0x1e5f1a1fff Private Memory rw True False False -
locale.nls 0x1e5f1b0000 0x1e5f26dfff Memory Mapped File r False False False -
private_0x0000001e5f270000 0x1e5f270000 0x1e5f2effff Private Memory rw True False False -
private_0x0000001e5f2f0000 0x1e5f2f0000 0x1e5f2f6fff Private Memory rw True False False -
private_0x0000001e5f300000 0x1e5f300000 0x1e5f300fff Private Memory rw True False False -
private_0x0000001e5f310000 0x1e5f310000 0x1e5f310fff Private Memory rw True False False -
pagefile_0x0000001e5f320000 0x1e5f320000 0x1e5f320fff Pagefile Backed Memory r True False False -
pagefile_0x0000001e5f330000 0x1e5f330000 0x1e5f330fff Pagefile Backed Memory r True False False -
private_0x0000001e5f340000 0x1e5f340000 0x1e5f43ffff Private Memory rw True False False -
private_0x0000001e5f440000 0x1e5f440000 0x1e5f53ffff Private Memory rw True False False -
private_0x0000001e5f540000 0x1e5f540000 0x1e5f54ffff Private Memory rw True False False -
pagefile_0x0000001e5f550000 0x1e5f550000 0x1e5f6d7fff Pagefile Backed Memory r True False False -
pagefile_0x0000001e5f6e0000 0x1e5f6e0000 0x1e5f860fff Pagefile Backed Memory r True False False -
pagefile_0x0000001e5f870000 0x1e5f870000 0x1e60c6ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x1e60c70000 0x1e60fa6fff Memory Mapped File r False False False -
private_0x0000001e60fb0000 0x1e60fb0000 0x1e6102ffff Private Memory rw True False False -
private_0x0000001e61030000 0x1e61030000 0x1e610affff Private Memory rw True False False -
private_0x0000001e610b0000 0x1e610b0000 0x1e6112ffff Private Memory rw True False False -
private_0x0000001e61130000 0x1e61130000 0x1e611affff Private Memory rw True False False -
private_0x0000001e611b0000 0x1e611b0000 0x1e6122ffff Private Memory rw True False False -
private_0x0000001e61230000 0x1e61230000 0x1e612affff Private Memory rw True False False -
pagefile_0x0000001e612b0000 0x1e612b0000 0x1e612d9fff Pagefile Backed Memory rw True False False -
private_0x0000001e612f0000 0x1e612f0000 0x1e612fffff Private Memory rw True False False -
private_0x0000001e61300000 0x1e61300000 0x1e613fffff Private Memory rw True False False -
private_0x0000001e61400000 0x1e61400000 0x1e61bfffff Private Memory - True False False -
private_0x0000001e61c00000 0x1e61c00000 0x1e61c7ffff Private Memory rw True False False -
private_0x0000001e61c80000 0x1e61c80000 0x1e61cfffff Private Memory rw True False False -
private_0x0000001e61d00000 0x1e61d00000 0x1e61d7ffff Private Memory rw True False False -
kernelbase.dll.mui 0x1e61d80000 0x1e61e5efff Memory Mapped File r False False False -
private_0x0000001e61e60000 0x1e61e60000 0x1e61edffff Private Memory rw True False False -
private_0x0000001e61ee0000 0x1e61ee0000 0x1e61f5ffff Private Memory rw True False False -
private_0x0000001e61f60000 0x1e61f60000 0x1e61fdffff Private Memory rw True False False -
private_0x0000001e62060000 0x1e62060000 0x1e620dffff Private Memory rw True False False -
private_0x0000001e620e0000 0x1e620e0000 0x1e621dffff Private Memory rw True False False -
pagefile_0x00007df5ff450000 0x7df5ff450000 0x7ff5ff44ffff Pagefile Backed Memory - True False False -
private_0x00007ff6d3e70000 0x7ff6d3e70000 0x7ff6d4205fff Private Memory rwx True False False -
private_0x00007ff7050ac000 0x7ff7050ac000 0x7ff7050adfff Private Memory rw True False False -
private_0x00007ff7050b0000 0x7ff7050b0000 0x7ff7050b1fff Private Memory rw True False False -
private_0x00007ff7050b2000 0x7ff7050b2000 0x7ff7050b3fff Private Memory rw True False False -
private_0x00007ff7050b4000 0x7ff7050b4000 0x7ff7050b5fff Private Memory rw True False False -
private_0x00007ff7050b6000 0x7ff7050b6000 0x7ff7050b7fff Private Memory rw True False False -
private_0x00007ff7050b8000 0x7ff7050b8000 0x7ff7050b9fff Private Memory rw True False False -
private_0x00007ff7050ba000 0x7ff7050ba000 0x7ff7050bbfff Private Memory rw True False False -
private_0x00007ff7050bc000 0x7ff7050bc000 0x7ff7050bdfff Private Memory rw True False False -
private_0x00007ff7050be000 0x7ff7050be000 0x7ff7050bffff Private Memory rw True False False -
pagefile_0x00007ff7050c0000 0x7ff7050c0000 0x7ff7051bffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7051c0000 0x7ff7051c0000 0x7ff7051e2fff Pagefile Backed Memory r True False False -
private_0x00007ff7051e3000 0x7ff7051e3000 0x7ff7051e4fff Private Memory rw True False False -
private_0x00007ff7051e5000 0x7ff7051e5000 0x7ff7051e5fff Private Memory rw True False False -
private_0x00007ff7051e6000 0x7ff7051e6000 0x7ff7051e7fff Private Memory rw True False False -
private_0x00007ff7051e8000 0x7ff7051e8000 0x7ff7051e9fff Private Memory rw True False False -
private_0x00007ff7051ea000 0x7ff7051ea000 0x7ff7051ebfff Private Memory rw True False False -
private_0x00007ff7051ec000 0x7ff7051ec000 0x7ff7051edfff Private Memory rw True False False -
private_0x00007ff7051ee000 0x7ff7051ee000 0x7ff7051effff Private Memory rw True False False -
sihost.exe 0x7ff705a50000 0x7ff705a65fff Memory Mapped File rwx False False False -
staterepository.core.dll 0x7ffc46310000 0x7ffc463a8fff Memory Mapped File rwx False False False -
windows.staterepository.dll 0x7ffc463b0000 0x7ffc46641fff Memory Mapped File rwx False False False -
licensemanagerapi.dll 0x7ffc488a0000 0x7ffc488abfff Memory Mapped File rwx False False False -
twinui.appcore.dll 0x7ffc48970000 0x7ffc48b7cfff Memory Mapped File rwx False False False -
execmodelproxy.dll 0x7ffc48b80000 0x7ffc48b94fff Memory Mapped File rwx False False False -
sharehost.dll 0x7ffc48c80000 0x7ffc48d24fff Memory Mapped File rwx False False False -
appcontracts.dll 0x7ffc48d30000 0x7ffc48ddbfff Memory Mapped File rwx False False False -
wpportinglibrary.dll 0x7ffc48de0000 0x7ffc48de8fff Memory Mapped File rwx False False False -
modernexecserver.dll 0x7ffc48df0000 0x7ffc48ec7fff Memory Mapped File rwx False False False -
dsclient.dll 0x7ffc48ed0000 0x7ffc48edbfff Memory Mapped File rwx False False False -
userdatatypehelperutil.dll 0x7ffc48ee0000 0x7ffc48ef0fff Memory Mapped File rwx False False False -
appointmentactivation.dll 0x7ffc48f00000 0x7ffc48f21fff Memory Mapped File rwx False False False -
activationmanager.dll 0x7ffc48f30000 0x7ffc48f8dfff Memory Mapped File rwx False False False -
edputil.dll 0x7ffc48f90000 0x7ffc48fbefff Memory Mapped File rwx False False False -
clipboardserver.dll 0x7ffc48fc0000 0x7ffc48feffff Memory Mapped File rwx False False False -
actxprxy.dll 0x7ffc48ff0000 0x7ffc49459fff Memory Mapped File rwx False False False -
windows.shell.servicehostbuilder.dll 0x7ffc49460000 0x7ffc49471fff Memory Mapped File rwx False False False -
desktopshellext.dll 0x7ffc49480000 0x7ffc49496fff Memory Mapped File rwx False False False -
coreuicomponents.dll 0x7ffc49bb0000 0x7ffc49e10fff Memory Mapped File rwx False False False -
ondemandbrokerclient.dll 0x7ffc4b000000 0x7ffc4b010fff Memory Mapped File rwx False False False -
notificationplatformcomponent.dll 0x7ffc4b020000 0x7ffc4b02cfff Memory Mapped File rwx False False False -
execmodelclient.dll 0x7ffc4b030000 0x7ffc4b072fff Memory Mapped File rwx False False False -
iertutil.dll 0x7ffc4ddd0000 0x7ffc4e145fff Memory Mapped File rwx False False False -
msvcp110_win.dll 0x7ffc4f8f0000 0x7ffc4f981fff Memory Mapped File rwx False False False -
policymanager.dll 0x7ffc4f990000 0x7ffc4f9c8fff Memory Mapped File rwx False False False -
xmllite.dll 0x7ffc4fb00000 0x7ffc4fb35fff Memory Mapped File rwx False False False -
wintypes.dll 0x7ffc50c00000 0x7ffc50d30fff Memory Mapped File rwx False False False -
usermgrproxy.dll 0x7ffc50d40000 0x7ffc50d7dfff Memory Mapped File rwx False False False -
propsys.dll 0x7ffc511b0000 0x7ffc51332fff Memory Mapped File rwx False False False -
mmdevapi.dll 0x7ffc51340000 0x7ffc513b1fff Memory Mapped File rwx False False False -
usermgrcli.dll 0x7ffc51410000 0x7ffc5141ffff Memory Mapped File rwx False False False -
winnsi.dll 0x7ffc51c30000 0x7ffc51c3afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7ffc51c50000 0x7ffc51c87fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7ffc525f0000 0x7ffc52611fff Memory Mapped File rwx False False False -
coremessaging.dll 0x7ffc52730000 0x7ffc527f7fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7ffc52d70000 0x7ffc52e05fff Memory Mapped File rwx False False False -
devobj.dll 0x7ffc52ef0000 0x7ffc52f16fff Memory Mapped File rwx False False False -
twinapi.appcore.dll 0x7ffc52f40000 0x7ffc5302dfff Memory Mapped File rwx False False False -
rmclient.dll 0x7ffc531b0000 0x7ffc531d7fff Memory Mapped File rwx False False False -
mpr.dll 0x7ffc53810000 0x7ffc5382bfff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
ntmarta.dll 0x7ffc53920000 0x7ffc53951fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7ffc53a90000 0x7ffc53ac2fff Memory Mapped File rwx False False False -
userenv.dll 0x7ffc53b80000 0x7ffc53b9efff Memory Mapped File rwx False False False -
cryptsp.dll 0x7ffc54210000 0x7ffc54226fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7ffc54280000 0x7ffc5428afff Memory Mapped File rwx False False False -
sspicli.dll 0x7ffc54320000 0x7ffc5434bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7ffc543d0000 0x7ffc5443afff Memory Mapped File rwx False False False -
profapi.dll 0x7ffc54580000 0x7ffc54592fff Memory Mapped File rwx False False False -
powrprof.dll 0x7ffc545a0000 0x7ffc545e9fff Memory Mapped File rwx False False False -
msasn1.dll 0x7ffc545f0000 0x7ffc54600fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7ffc54610000 0x7ffc5461efff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7ffc54620000 0x7ffc54663fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7ffc54670000 0x7ffc54c97fff Memory Mapped File rwx False False False -
crypt32.dll 0x7ffc54db0000 0x7ffc54f70fff Memory Mapped File rwx False False False -
shcore.dll 0x7ffc54f80000 0x7ffc55032fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
imm32.dll 0x7ffc55280000 0x7ffc552b5fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
msctf.dll 0x7ffc55380000 0x7ffc554dbfff Memory Mapped File rwx False False False -
user32.dll 0x7ffc554e0000 0x7ffc5562dfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7ffc55910000 0x7ffc559cdfff Memory Mapped File rwx False False False -
shell32.dll 0x7ffc559d0000 0x7ffc56ef4fff Memory Mapped File rwx False False False -
nsi.dll 0x7ffc56f00000 0x7ffc56f07fff Memory Mapped File rwx False False False -
gdi32.dll 0x7ffc56f10000 0x7ffc57094fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
combase.dll 0x7ffc571d0000 0x7ffc5744bfff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ole32.dll 0x7ffc57750000 0x7ffc57890fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7ffc578a0000 0x7ffc578f0fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7ffc57970000 0x7ffc57a14fff Memory Mapped File rwx False False False -
advapi32.dll 0x7ffc57aa0000 0x7ffc57b45fff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #2: c:\users\public\mksmd.exe 0x6b4 address = 0x7ff6d3e70000, size = 3760128 True 1
Fn
Data
Create Remote Thread #2: c:\users\public\mksmd.exe 0x6b4 address = 0x7ff6d3e72870 True 1
Fn
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\users\Public\sys 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep: 3:: 		False
...
Host Behavior
File (2)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN False 1
Fn
Create C:\users\Public\sys desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x7ffc55800000 True 1
Fn
Load mpr.dll base_address = 0x7ffc53810000 True 1
Fn
Load advapi32.dll base_address = 0x7ffc57aa0000 True 1
Fn
Load ole32.dll base_address = 0x7ffc57750000 True 1
Fn
Load Shell32.dll base_address = 0x7ffc559d0000 True 1
Fn
Load Iphlpapi.dll base_address = 0x7ffc51c50000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x7ffc55822080 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x7ffc55816060 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualFree, address_out = 0x7ffc5581bc10 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptExportKey, address_out = 0x7ffc57ab7b50 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileW, address_out = 0x7ffc558257a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDriveTypeW, address_out = 0x7ffc558258f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineW, address_out = 0x7ffc55820150 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x7ffc5581ed80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileW, address_out = 0x7ffc55825880 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x7ffc5581baf0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7ffc57acec40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x7ffc5581ef50 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64RevertWow64FsRedirection, address_out = 0x7ffc558436a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessA, address_out = 0x7ffc5581d5b0 True 1
Fn
Get Address c:\windows\system32\iphlpapi.dll function = GetIpNetTable, address_out = 0x7ffc51c6f0b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExW, address_out = 0x7ffc5581aa30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64DisableWow64FsRedirection, address_out = 0x7ffc55843690 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemDefaultLangID, address_out = 0x7ffc55822ba0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameW, address_out = 0x7ffc57abda40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x7ffc55825a90 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7ffc57ab7dd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x7ffc55825510 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegSetValueExW, address_out = 0x7ffc57ab7850 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7ffc57ab72e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileA, address_out = 0x7ffc5583e430 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesW, address_out = 0x7ffc55825b00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WinExec, address_out = 0x7ffc55841e60 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDeriveKey, address_out = 0x7ffc57ad07a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGenKey, address_out = 0x7ffc57abcab0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Sleep, address_out = 0x7ffc55818f00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x7ffc55816580 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteW, address_out = 0x7ffc55b1abc0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x7ffc55825950 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x7ffc5581b810 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x7ffc558257c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForMultipleObjects, address_out = 0x7ffc558256e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x7ffc55820c70 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x7ffc55bd7de0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x7ffc5581e6d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameW, address_out = 0x7ffc5581eca0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x7ffc55825760 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSizeEx, address_out = 0x7ffc55825960 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x7ffc55825b80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalDrives, address_out = 0x7ffc558166d0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetEnumResourceW, address_out = 0x7ffc538127d0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExW, address_out = 0x7ffc57ab6cb0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetCloseEnum, address_out = 0x7ffc53812e20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x7ffc55822940 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesA, address_out = 0x7ffc55825af0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7ffc57ab7d70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x7ffc55825b20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount, address_out = 0x7ffc558160a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesW, address_out = 0x7ffc55825930 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileW, address_out = 0x7ffc55825840 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextW, address_out = 0x7ffc57ab89e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MoveFileExW, address_out = 0x7ffc55823010 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetOpenEnumW, address_out = 0x7ffc53812f20 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7ffc57763870 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDecrypt, address_out = 0x7ffc57ab9140 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptImportKey, address_out = 0x7ffc57ab7b40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x7ffc55825b30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileW, address_out = 0x7ffc55825d70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x7ffc5581eb90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessW, address_out = 0x7ffc5581dee0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateDirectoryW, address_out = 0x7ffc55825740 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThread, address_out = 0x7ffc5581bc20 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyKey, address_out = 0x7ffc57ab86b0 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7ffc57257000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x7ffc55825770 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x7ffc55825900 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptEncrypt, address_out = 0x7ffc57abd7e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteValueW, address_out = 0x7ffc57ab90b0 True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Process #4: net.exe
0 0
»
Information Value
ID #4
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "spooler" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:14, Reason: Self Terminated
Monitor Duration 00:00:12
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc94
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C80
0x C40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000fe8d9e0000 0xfe8d9e0000 0xfe8d9fffff Private Memory rw True False False -
pagefile_0x000000fe8d9e0000 0xfe8d9e0000 0xfe8d9effff Pagefile Backed Memory rw True False False -
pagefile_0x000000fe8da00000 0xfe8da00000 0xfe8da13fff Pagefile Backed Memory r True False False -
private_0x000000fe8da20000 0xfe8da20000 0xfe8da9ffff Private Memory rw True False False -
pagefile_0x000000fe8daa0000 0xfe8daa0000 0xfe8daa3fff Pagefile Backed Memory r True False False -
pagefile_0x000000fe8dab0000 0xfe8dab0000 0xfe8dab0fff Pagefile Backed Memory r True False False -
private_0x000000fe8dac0000 0xfe8dac0000 0xfe8dac1fff Private Memory rw True False False -
private_0x000000fe8db10000 0xfe8db10000 0xfe8dc0ffff Private Memory rw True False False -
pagefile_0x00007df5ffe60000 0x7df5ffe60000 0x7ff5ffe5ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff705e70000 0x7ff705e70000 0x7ff705f6ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff705f70000 0x7ff705f70000 0x7ff705f92fff Pagefile Backed Memory r True False False -
private_0x00007ff705f96000 0x7ff705f96000 0x7ff705f96fff Private Memory rw True False False -
private_0x00007ff705f9e000 0x7ff705f9e000 0x7ff705f9ffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #5: taskhostw.exe
91 0
»
Information Value
ID #5
File Name c:\windows\system32\taskhostw.exe
Command Line taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:03, Reason: Injection
Unmonitor End Time: 00:02:35, Reason: Crashed
Monitor Duration 00:00:32
OS Process Information
»
Information Value
PID 0x77c
Parent PID 0x324 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 4F0
0x 82C
0x B7C
0x AB0
0x A2C
0x 940
0x 93C
0x 938
0x 934
0x 7B4
0x 780
0x C90
0x C98
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
pagefile_0x000000a699760000 0xa699760000 0xa69976ffff Pagefile Backed Memory rw True False False -
private_0x000000a699770000 0xa699770000 0xa699776fff Private Memory rw True False False -
pagefile_0x000000a699780000 0xa699780000 0xa699793fff Pagefile Backed Memory r True False False -
private_0x000000a6997a0000 0xa6997a0000 0xa69981ffff Private Memory rw True False False -
pagefile_0x000000a699820000 0xa699820000 0xa699823fff Pagefile Backed Memory r True False False -
pagefile_0x000000a699830000 0xa699830000 0xa699830fff Pagefile Backed Memory r True False False -
private_0x000000a699840000 0xa699840000 0xa699841fff Private Memory rw True False False -
private_0x000000a699850000 0xa699850000 0xa699856fff Private Memory rw True False False -
taskhostw.exe.mui 0xa699860000 0xa699860fff Memory Mapped File r False False False -
private_0x000000a699870000 0xa699870000 0xa699870fff Private Memory rw True False False -
private_0x000000a699880000 0xa699880000 0xa699880fff Private Memory rw True False False -
pagefile_0x000000a699890000 0xa699890000 0xa699893fff Pagefile Backed Memory r True False False -
pagefile_0x000000a6998a0000 0xa6998a0000 0xa6998a0fff Pagefile Backed Memory r True False False -
private_0x000000a6998b0000 0xa6998b0000 0xa6999affff Private Memory rw True False False -
locale.nls 0xa6999b0000 0xa699a6dfff Memory Mapped File r False False False -
private_0x000000a699a70000 0xa699a70000 0xa699aeffff Private Memory rw True False False -
private_0x000000a699af0000 0xa699af0000 0xa699b6ffff Private Memory rw True False False -
pagefile_0x000000a699b70000 0xa699b70000 0xa699c27fff Pagefile Backed Memory r True False False -
private_0x000000a699c30000 0xa699c30000 0xa699c3ffff Private Memory rw True False False -
pagefile_0x000000a699c40000 0xa699c40000 0xa699c40fff Pagefile Backed Memory r True False False -
pagefile_0x000000a699c50000 0xa699c50000 0xa699c50fff Pagefile Backed Memory rw True False False -
private_0x000000a699c60000 0xa699c60000 0xa699c60fff Private Memory rw True False False -
private_0x000000a699c70000 0xa699c70000 0xa699c7ffff Private Memory rw True False False -
pagefile_0x000000a699c80000 0xa699c80000 0xa699e07fff Pagefile Backed Memory r True False False -
pagefile_0x000000a699e10000 0xa699e10000 0xa699f90fff Pagefile Backed Memory r True False False -
pagefile_0x000000a699fa0000 0xa699fa0000 0xa69b39ffff Pagefile Backed Memory r True False False -
private_0x000000a69b3a0000 0xa69b3a0000 0xa69b41ffff Private Memory rw True False False -
private_0x000000a69b420000 0xa69b420000 0xa69b420fff Private Memory rw True False False -
pagefile_0x000000a69b430000 0xa69b430000 0xa69b43ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000a69b440000 0xa69b440000 0xa69b44ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000a69b450000 0xa69b450000 0xa69b45ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000a69b460000 0xa69b460000 0xa69b46ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000a69b470000 0xa69b470000 0xa69b47ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000a69b480000 0xa69b480000 0xa69b48ffff Pagefile Backed Memory rw True False False -
private_0x000000a69b490000 0xa69b490000 0xa69b497fff Private Memory rw True False False -
winmm.dll.mui 0xa69b4a0000 0xa69b4a5fff Memory Mapped File r False False False -
webcachev01.dat 0xa69b4b0000 0xa69b4bffff Memory Mapped File r True False False -
webcachev01.dat 0xa69b4c0000 0xa69b4cffff Memory Mapped File r True False False -
pagefile_0x000000a69b4d0000 0xa69b4d0000 0xa69b4dffff Pagefile Backed Memory rw True False False -
webcachev01.dat 0xa69b4e0000 0xa69b4effff Memory Mapped File r True False False -
webcachev01.dat 0xa69b4f0000 0xa69b4fffff Memory Mapped File r True False False -
webcachev01.dat 0xa69b500000 0xa69b50ffff Memory Mapped File r True False False -
webcachev01.dat 0xa69b510000 0xa69b51ffff Memory Mapped File r True False False -
sortdefault.nls 0xa69b520000 0xa69b856fff Memory Mapped File r False False False -
private_0x000000a69b860000 0xa69b860000 0xa69b8dffff Private Memory rw True False False -
private_0x000000a69b8e0000 0xa69b8e0000 0xa69b95ffff Private Memory rw True False False -
private_0x000000a69b960000 0xa69b960000 0xa69ba5ffff Private Memory rw True False False -
msctfmonitor.dll.mui 0xa69ba60000 0xa69ba60fff Memory Mapped File r False False False -
private_0x000000a69ba70000 0xa69ba70000 0xa69baeffff Private Memory rw True False False -
pagefile_0x000000a69baf0000 0xa69baf0000 0xa69baf0fff Pagefile Backed Memory rw True False False -
private_0x000000a69bb00000 0xa69bb00000 0xa69bb06fff Private Memory rw True False False -
pagefile_0x000000a69bb10000 0xa69bb10000 0xa69bb1ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000a69bb20000 0xa69bb20000 0xa69bb2ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000a69bb30000 0xa69bb30000 0xa69bb3ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000a69bb40000 0xa69bb40000 0xa69bb4ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000a69bb50000 0xa69bb50000 0xa69bb5ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000a69bb60000 0xa69bb60000 0xa69bb6ffff Pagefile Backed Memory rw True False False -
private_0x000000a69bb70000 0xa69bb70000 0xa69cb6ffff Private Memory rw True False False -
private_0x000000a69cb70000 0xa69cb70000 0xa69cb70fff Private Memory rw True False False -
private_0x000000a69cb80000 0xa69cb80000 0xa69cb80fff Private Memory rw True False False -
private_0x000000a69cb90000 0xa69cb90000 0xa69cb93fff Private Memory rw True False False -
private_0x000000a69cba0000 0xa69cba0000 0xa69cba1fff Private Memory rw True False False -
private_0x000000a69cbb0000 0xa69cbb0000 0xa69cbb0fff Private Memory rw True False False -
private_0x000000a69cbc0000 0xa69cbc0000 0xa69cc4ffff Private Memory rw True False False -
private_0x000000a69cc50000 0xa69cc50000 0xa6a0c4ffff Private Memory rw True False False -
private_0x000000a6a0c50000 0xa6a0c50000 0xa6a4c4ffff Private Memory rw True False False -
private_0x000000a6a4c50000 0xa6a4c50000 0xa6a4c57fff Private Memory rw True False False -
webcachev01.dat 0xa6a4c60000 0xa6a4c6ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4c70000 0xa6a4c7ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4c80000 0xa6a4c8ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4c90000 0xa6a4c9ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4ca0000 0xa6a4caffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4cb0000 0xa6a4cbffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4cc0000 0xa6a4ccffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4cd0000 0xa6a4cdffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4ce0000 0xa6a4ceffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4cf0000 0xa6a4cfffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4d00000 0xa6a4d0ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4d10000 0xa6a4d1ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4d20000 0xa6a4d2ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4d30000 0xa6a4d3ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4d40000 0xa6a4d4ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4d50000 0xa6a4d5ffff Memory Mapped File r True False False -
private_0x000000a6a4d60000 0xa6a4d60000 0xa6a4ddffff Private Memory rw True False False -
private_0x000000a6a4de0000 0xa6a4de0000 0xa6a4de7fff Private Memory rw True False False -
webcachev01.dat 0xa6a4df0000 0xa6a4dfffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4e00000 0xa6a4e0ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4e10000 0xa6a4e1ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4e20000 0xa6a4e2ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4e30000 0xa6a4e3ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4e40000 0xa6a4e4ffff Memory Mapped File r True False False -
private_0x000000a6a4e50000 0xa6a4e50000 0xa6a4e57fff Private Memory rw True False False -
webcachev01.dat 0xa6a4e60000 0xa6a4e6ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4e70000 0xa6a4e7ffff Memory Mapped File r True False False -
pagefile_0x000000a6a4e80000 0xa6a4e80000 0xa6a4e8ffff Pagefile Backed Memory rw True False False -
webcachev01.dat 0xa6a4e90000 0xa6a4e9ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4ea0000 0xa6a4eaffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4eb0000 0xa6a4ebffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4ec0000 0xa6a4ecffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4ed0000 0xa6a4edffff Memory Mapped File r True False False -
private_0x000000a6a4ee0000 0xa6a4ee0000 0xa6a4f5ffff Private Memory rw True False False -
pagefile_0x000000a6a4f60000 0xa6a4f60000 0xa6a4f6ffff Pagefile Backed Memory rw True False False -
webcachev01.dat 0xa6a4f70000 0xa6a4f7ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4f80000 0xa6a4f8ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4f90000 0xa6a4f9ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a4fa0000 0xa6a4faffff Memory Mapped File r True False False -
private_0x000000a6a4fb0000 0xa6a4fb0000 0xa6a502ffff Private Memory rw True False False -
private_0x000000a6a5030000 0xa6a5030000 0xa6a50affff Private Memory rw True False False -
webcachev01.dat 0xa6a50b0000 0xa6a50bffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a50c0000 0xa6a50cffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a50d0000 0xa6a50dffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a50e0000 0xa6a50effff Memory Mapped File r True False False -
webcachev01.dat 0xa6a50f0000 0xa6a50fffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a5100000 0xa6a510ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a5110000 0xa6a511ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a5120000 0xa6a512ffff Memory Mapped File r True False False -
private_0x000000a6a5130000 0xa6a5130000 0xa6a522ffff Private Memory rw True False False -
webcachev01.dat 0xa6a5230000 0xa6a523ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a5240000 0xa6a524ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a5250000 0xa6a525ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a5260000 0xa6a526ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a5270000 0xa6a527ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a5280000 0xa6a528ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a5290000 0xa6a529ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a52a0000 0xa6a52affff Memory Mapped File r True False False -
webcachev01.dat 0xa6a52b0000 0xa6a52bffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a52c0000 0xa6a52cffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a52d0000 0xa6a52dffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a52e0000 0xa6a52effff Memory Mapped File r True False False -
webcachev01.dat 0xa6a52f0000 0xa6a52fffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a5300000 0xa6a530ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a5310000 0xa6a531ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a5320000 0xa6a532ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a5330000 0xa6a533ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a5340000 0xa6a534ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a5350000 0xa6a535ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a5360000 0xa6a536ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a5370000 0xa6a537ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a5380000 0xa6a538ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a5390000 0xa6a539ffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a53a0000 0xa6a53affff Memory Mapped File r True False False -
webcachev01.dat 0xa6a53b0000 0xa6a53bffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a53c0000 0xa6a53cffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a53d0000 0xa6a53dffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a53e0000 0xa6a53effff Memory Mapped File r True False False -
webcachev01.dat 0xa6a53f0000 0xa6a53fffff Memory Mapped File r True False False -
webcachev01.dat 0xa6a5400000 0xa6a540ffff Memory Mapped File r True False False -
private_0x000000a6a5410000 0xa6a5410000 0xa6a5417fff Private Memory rw True False False -
webcachev01.dat 0xa6a5420000 0xa6a542ffff Memory Mapped File r True False False -
For performance reasons, the remaining 68 entries are omitted.
The remaining entries can be found in flog.txt.
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #2: c:\users\public\mksmd.exe 0x6b4 address = 0x7ff6d3e70000, size = 3760128 True 1
Fn
Data
Create Remote Thread #2: c:\users\public\mksmd.exe 0x6b4 address = 0x7ff6d3e72870 True 1
Fn
Host Behavior
File (3)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN False 2
Fn
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x7ffc55800000 True 1
Fn
Load mpr.dll base_address = 0x7ffc53810000 True 1
Fn
Load advapi32.dll base_address = 0x7ffc57aa0000 True 1
Fn
Load ole32.dll base_address = 0x7ffc57750000 True 1
Fn
Load Shell32.dll base_address = 0x7ffc559d0000 True 1
Fn
Load Iphlpapi.dll base_address = 0x7ffc51c50000 True 1
Fn
Get Address Unknown module name function = LoadLibraryA, address_out = 0x7ffc55822080 True 1
Fn
Get Address Unknown module name function = GetLastError, address_out = 0x7ffc55816060 True 1
Fn
Get Address Unknown module name function = VirtualFree, address_out = 0x7ffc5581bc10 True 1
Fn
Get Address Unknown module name function = CryptExportKey, address_out = 0x7ffc57ab7b50 True 1
Fn
Get Address Unknown module name function = DeleteFileW, address_out = 0x7ffc558257a0 True 1
Fn
Get Address Unknown module name function = GetDriveTypeW, address_out = 0x7ffc558258f0 True 1
Fn
Get Address Unknown module name function = GetCommandLineW, address_out = 0x7ffc55820150 True 1
Fn
Get Address Unknown module name function = GetStartupInfoW, address_out = 0x7ffc5581ed80 True 1
Fn
Get Address Unknown module name function = FindNextFileW, address_out = 0x7ffc55825880 True 1
Fn
Get Address Unknown module name function = VirtualAlloc, address_out = 0x7ffc5581baf0 True 1
Fn
Get Address Unknown module name function = GetUserNameA, address_out = 0x7ffc57acec40 True 1
Fn
Get Address Unknown module name function = ExitProcess, address_out = 0x7ffc5581ef50 True 1
Fn
Get Address Unknown module name function = Wow64RevertWow64FsRedirection, address_out = 0x7ffc558436a0 True 1
Fn
Get Address Unknown module name function = CreateProcessA, address_out = 0x7ffc5581d5b0 True 1
Fn
Get Address Unknown module name function = GetIpNetTable, address_out = 0x7ffc51c6f0b0 True 1
Fn
Get Address Unknown module name function = GetVersionExW, address_out = 0x7ffc5581aa30 True 1
Fn
Get Address Unknown module name function = Wow64DisableWow64FsRedirection, address_out = 0x7ffc55843690 True 1
Fn
Get Address Unknown module name function = GetSystemDefaultLangID, address_out = 0x7ffc55822ba0 True 1
Fn
Get Address Unknown module name function = GetUserNameW, address_out = 0x7ffc57abda40 True 1
Fn
Get Address Unknown module name function = ReadFile, address_out = 0x7ffc55825a90 True 1
Fn
Get Address Unknown module name function = RegQueryValueExA, address_out = 0x7ffc57ab7dd0 True 1
Fn
Get Address Unknown module name function = CloseHandle, address_out = 0x7ffc55825510 True 1
Fn
Get Address Unknown module name function = RegSetValueExW, address_out = 0x7ffc57ab7850 True 1
Fn
Get Address Unknown module name function = RegCloseKey, address_out = 0x7ffc57ab72e0 True 1
Fn
Get Address Unknown module name function = CopyFileA, address_out = 0x7ffc5583e430 True 1
Fn
Get Address Unknown module name function = SetFileAttributesW, address_out = 0x7ffc55825b00 True 1
Fn
Get Address Unknown module name function = WinExec, address_out = 0x7ffc55841e60 True 1
Fn
Get Address Unknown module name function = CryptDeriveKey, address_out = 0x7ffc57ad07a0 True 1
Fn
Get Address Unknown module name function = CryptGenKey, address_out = 0x7ffc57abcab0 True 1
Fn
Get Address Unknown module name function = Sleep, address_out = 0x7ffc55818f00 True 1
Fn
Get Address Unknown module name function = GetCurrentProcess, address_out = 0x7ffc55816580 True 1
Fn
Get Address Unknown module name function = ShellExecuteW, address_out = 0x7ffc55b1abc0 True 1
Fn
Get Address Unknown module name function = GetFileSize, address_out = 0x7ffc55825950 True 1
Fn
Get Address Unknown module name function = GlobalAlloc, address_out = 0x7ffc5581b810 True 1
Fn
Get Address Unknown module name function = FindClose, address_out = 0x7ffc558257c0 True 1
Fn
Get Address Unknown module name function = WaitForMultipleObjects, address_out = 0x7ffc558256e0 True 1
Fn
Get Address Unknown module name function = GetModuleFileNameA, address_out = 0x7ffc55820c70 True 1
Fn
Get Address Unknown module name function = ShellExecuteA, address_out = 0x7ffc55bd7de0 True 1
Fn
Get Address Unknown module name function = GetModuleHandleA, address_out = 0x7ffc5581e6d0 True 1
Fn
Get Address Unknown module name function = GetModuleFileNameW, address_out = 0x7ffc5581eca0 True 1
Fn
Get Address Unknown module name function = CreateFileA, address_out = 0x7ffc55825760 True 1
Fn
Get Address Unknown module name function = GetFileSizeEx, address_out = 0x7ffc55825960 True 1
Fn
Get Address Unknown module name function = WriteFile, address_out = 0x7ffc55825b80 True 1
Fn
Get Address Unknown module name function = GetLogicalDrives, address_out = 0x7ffc558166d0 True 1
Fn
Get Address Unknown module name function = WNetEnumResourceW, address_out = 0x7ffc538127d0 True 1
Fn
Get Address Unknown module name function = RegOpenKeyExW, address_out = 0x7ffc57ab6cb0 True 1
Fn
Get Address Unknown module name function = WNetCloseEnum, address_out = 0x7ffc53812e20 True 1
Fn
Get Address Unknown module name function = GetWindowsDirectoryW, address_out = 0x7ffc55822940 True 1
Fn
Get Address Unknown module name function = SetFileAttributesA, address_out = 0x7ffc55825af0 True 1
Fn
Get Address Unknown module name function = RegOpenKeyExA, address_out = 0x7ffc57ab7d70 True 1
Fn
Get Address Unknown module name function = SetFilePointer, address_out = 0x7ffc55825b20 True 1
Fn
Get Address Unknown module name function = GetTickCount, address_out = 0x7ffc558160a0 True 1
Fn
Get Address Unknown module name function = GetFileAttributesW, address_out = 0x7ffc55825930 True 1
Fn
Get Address Unknown module name function = FindFirstFileW, address_out = 0x7ffc55825840 True 1
Fn
Get Address Unknown module name function = CryptAcquireContextW, address_out = 0x7ffc57ab89e0 True 1
Fn
Get Address Unknown module name function = MoveFileExW, address_out = 0x7ffc55823010 True 1
Fn
Get Address Unknown module name function = WNetOpenEnumW, address_out = 0x7ffc53812f20 True 1
Fn
Get Address Unknown module name function = CoInitialize, address_out = 0x7ffc57763870 True 1
Fn
Get Address Unknown module name function = CryptDecrypt, address_out = 0x7ffc57ab9140 True 1
Fn
Get Address Unknown module name function = CryptImportKey, address_out = 0x7ffc57ab7b40 True 1
Fn
Get Address Unknown module name function = SetFilePointerEx, address_out = 0x7ffc55825b30 True 1
Fn
Get Address Unknown module name function = CopyFileW, address_out = 0x7ffc55825d70 True 1
Fn
Get Address Unknown module name function = FreeLibrary, address_out = 0x7ffc5581eb90 True 1
Fn
Get Address Unknown module name function = CreateProcessW, address_out = 0x7ffc5581dee0 True 1
Fn
Get Address Unknown module name function = CreateDirectoryW, address_out = 0x7ffc55825740 True 1
Fn
Get Address Unknown module name function = CreateThread, address_out = 0x7ffc5581bc20 True 1
Fn
Get Address Unknown module name function = CryptDestroyKey, address_out = 0x7ffc57ab86b0 True 1
Fn
Get Address Unknown module name function = CoCreateInstance, address_out = 0x7ffc57257000 True 1
Fn
Get Address Unknown module name function = CreateFileW, address_out = 0x7ffc55825770 True 1
Fn
Get Address Unknown module name function = GetFileAttributesA, address_out = 0x7ffc55825900 True 1
Fn
Get Address Unknown module name function = CryptEncrypt, address_out = 0x7ffc57abd7e0 True 1
Fn
Get Address Unknown module name function = RegDeleteValueW, address_out = 0x7ffc57ab90b0 True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
System (7)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
Sleep duration = 25000 milliseconds (25.000 seconds) True 2
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 3
Fn
Process #6: net.exe
0 0
»
Information Value
ID #6
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:16, Reason: Self Terminated
Monitor Duration 00:00:13
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd48
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D4C
0x D64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000058906a0000 0x58906a0000 0x58906bffff Private Memory rw True False False -
pagefile_0x00000058906a0000 0x58906a0000 0x58906affff Pagefile Backed Memory rw True False False -
private_0x00000058906b0000 0x58906b0000 0x58906b6fff Private Memory rw True False False -
pagefile_0x00000058906c0000 0x58906c0000 0x58906d3fff Pagefile Backed Memory r True False False -
private_0x00000058906e0000 0x58906e0000 0x589075ffff Private Memory rw True False False -
pagefile_0x0000005890760000 0x5890760000 0x5890763fff Pagefile Backed Memory r True False False -
pagefile_0x0000005890770000 0x5890770000 0x5890770fff Pagefile Backed Memory r True False False -
private_0x0000005890780000 0x5890780000 0x5890781fff Private Memory rw True False False -
locale.nls 0x5890790000 0x589084dfff Memory Mapped File r False False False -
private_0x0000005890850000 0x5890850000 0x58908cffff Private Memory rw True False False -
private_0x00000058908d0000 0x58908d0000 0x58908d6fff Private Memory rw True False False -
private_0x0000005890930000 0x5890930000 0x5890a2ffff Private Memory rw True False False -
private_0x0000005890af0000 0x5890af0000 0x5890afffff Private Memory rw True False False -
pagefile_0x00007df5ff110000 0x7df5ff110000 0x7ff5ff10ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff705dd0000 0x7ff705dd0000 0x7ff705ecffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff705ed0000 0x7ff705ed0000 0x7ff705ef2fff Pagefile Backed Memory r True False False -
private_0x00007ff705efa000 0x7ff705efa000 0x7ff705efbfff Private Memory rw True False False -
private_0x00007ff705efc000 0x7ff705efc000 0x7ff705efdfff Private Memory rw True False False -
private_0x00007ff705efe000 0x7ff705efe000 0x7ff705efefff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
browcli.dll 0x7ffc466b0000 0x7ffc466c3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
winnsi.dll 0x7ffc51c30000 0x7ffc51c3afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7ffc51c50000 0x7ffc51c87fff Memory Mapped File rwx False False False -
mpr.dll 0x7ffc53810000 0x7ffc5382bfff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
nsi.dll 0x7ffc56f00000 0x7ffc56f07fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #9: runtimebroker.exe
94 0
»
Information Value
ID #9
File Name c:\windows\system32\runtimebroker.exe
Command Line C:\Windows\System32\RuntimeBroker.exe -Embedding
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:04, Reason: Injection
Unmonitor End Time: 00:02:48, Reason: Crashed
Monitor Duration 00:00:44
OS Process Information
»
Information Value
PID 0x7f8
Parent PID 0x23c (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CA0
0x C60
0x C30
0x FEC
0x A1C
0x 854
0x 83C
0x 808
0x 11C
0x D0
0x CC0
0x D68
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
pagefile_0x0000003cd1d40000 0x3cd1d40000 0x3cd1d4ffff Pagefile Backed Memory rw True False False -
private_0x0000003cd1d50000 0x3cd1d50000 0x3cd1d50fff Private Memory rw True False False -
pagefile_0x0000003cd1d60000 0x3cd1d60000 0x3cd1d73fff Pagefile Backed Memory r True False False -
private_0x0000003cd1d80000 0x3cd1d80000 0x3cd1dfffff Private Memory rw True False False -
pagefile_0x0000003cd1e00000 0x3cd1e00000 0x3cd1e03fff Pagefile Backed Memory r True False False -
pagefile_0x0000003cd1e10000 0x3cd1e10000 0x3cd1e11fff Pagefile Backed Memory r True False False -
private_0x0000003cd1e20000 0x3cd1e20000 0x3cd1e21fff Private Memory rw True False False -
private_0x0000003cd1e30000 0x3cd1e30000 0x3cd1e36fff Private Memory rw True False False -
locale.nls 0x3cd1e40000 0x3cd1efdfff Memory Mapped File r False False False -
private_0x0000003cd1f00000 0x3cd1f00000 0x3cd1ffffff Private Memory rw True False False -
private_0x0000003cd2000000 0x3cd2000000 0x3cd207ffff Private Memory rw True False False -
private_0x0000003cd2080000 0x3cd2080000 0x3cd20fffff Private Memory rw True False False -
private_0x0000003cd2100000 0x3cd2100000 0x3cd2100fff Private Memory rw True False False -
pagefile_0x0000003cd2110000 0x3cd2110000 0x3cd2110fff Pagefile Backed Memory r True False False -
private_0x0000003cd2120000 0x3cd2120000 0x3cd219ffff Private Memory rw True False False -
pagefile_0x0000003cd21a0000 0x3cd21a0000 0x3cd21a0fff Pagefile Backed Memory r True False False -
pagefile_0x0000003cd21b0000 0x3cd21b0000 0x3cd21d9fff Pagefile Backed Memory rw True False False -
pagefile_0x0000003cd21e0000 0x3cd21e0000 0x3cd21e2fff Pagefile Backed Memory r True False False -
private_0x0000003cd21f0000 0x3cd21f0000 0x3cd21f6fff Private Memory rw True False False -
private_0x0000003cd2200000 0x3cd2200000 0x3cd2206fff Private Memory rw True False False -
private_0x0000003cd2210000 0x3cd2210000 0x3cd228ffff Private Memory rw True False False -
pagefile_0x0000003cd2290000 0x3cd2290000 0x3cd2290fff Pagefile Backed Memory rw True False False -
pagefile_0x0000003cd22a0000 0x3cd22a0000 0x3cd22a0fff Pagefile Backed Memory rw True False False -
windows.storage.dll.mui 0x3cd22b0000 0x3cd22b7fff Memory Mapped File r False False False -
cversions.2.db 0x3cd22c0000 0x3cd22c3fff Memory Mapped File r True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db 0x3cd22d0000 0x3cd22e2fff Memory Mapped File r True False False -
pagefile_0x0000003cd22f0000 0x3cd22f0000 0x3cd22f0fff Pagefile Backed Memory rw True False False -
private_0x0000003cd2300000 0x3cd2300000 0x3cd23fffff Private Memory rw True False False -
pagefile_0x0000003cd2400000 0x3cd2400000 0x3cd2587fff Pagefile Backed Memory r True False False -
pagefile_0x0000003cd2590000 0x3cd2590000 0x3cd2710fff Pagefile Backed Memory r True False False -
pagefile_0x0000003cd2720000 0x3cd2720000 0x3cd3b1ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x3cd3b20000 0x3cd3e56fff Memory Mapped File r False False False -
private_0x0000003cd3e60000 0x3cd3e60000 0x3cd3edffff Private Memory rw True False False -
private_0x0000003cd3ee0000 0x3cd3ee0000 0x3cd3f5ffff Private Memory rw True False False -
private_0x0000003cd3f60000 0x3cd3f60000 0x3cd3fdffff Private Memory rw True False False -
private_0x0000003cd3fe0000 0x3cd3fe0000 0x3cd40dffff Private Memory rw True False False -
cversions.2.db 0x3cd40e0000 0x3cd40e3fff Memory Mapped File r True False False -
private_0x0000003cd4100000 0x3cd4100000 0x3cd41fffff Private Memory rw True False False -
kernelbase.dll.mui 0x3cd4200000 0x3cd42defff Memory Mapped File r False False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db 0x3cd42e0000 0x3cd4322fff Memory Mapped File r True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0x3cd4330000 0x3cd43bafff Memory Mapped File r True False False -
propsys.dll.mui 0x3cd43c0000 0x3cd43d0fff Memory Mapped File r False False False -
private_0x0000003cd43e0000 0x3cd43e0000 0x3cd445ffff Private Memory rw True False False -
private_0x0000003cd4460000 0x3cd4460000 0x3cd44dffff Private Memory rw True False False -
private_0x0000003cd44e0000 0x3cd44e0000 0x3cd455ffff Private Memory rw True False False -
private_0x0000003cd4560000 0x3cd4560000 0x3cd45dffff Private Memory rw True False False -
pagefile_0x00007df5ffbe0000 0x7df5ffbe0000 0x7ff5ffbdffff Pagefile Backed Memory - True False False -
private_0x00007ff609b82000 0x7ff609b82000 0x7ff609b83fff Private Memory rw True False False -
private_0x00007ff609b84000 0x7ff609b84000 0x7ff609b85fff Private Memory rw True False False -
private_0x00007ff609b86000 0x7ff609b86000 0x7ff609b87fff Private Memory rw True False False -
private_0x00007ff609b88000 0x7ff609b88000 0x7ff609b89fff Private Memory rw True False False -
private_0x00007ff609b8a000 0x7ff609b8a000 0x7ff609b8bfff Private Memory rw True False False -
private_0x00007ff609b8c000 0x7ff609b8c000 0x7ff609b8dfff Private Memory rw True False False -
private_0x00007ff609b8e000 0x7ff609b8e000 0x7ff609b8ffff Private Memory rw True False False -
pagefile_0x00007ff609b90000 0x7ff609b90000 0x7ff609c8ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff609c90000 0x7ff609c90000 0x7ff609cb2fff Pagefile Backed Memory r True False False -
private_0x00007ff609cb4000 0x7ff609cb4000 0x7ff609cb5fff Private Memory rw True False False -
private_0x00007ff609cb6000 0x7ff609cb6000 0x7ff609cb7fff Private Memory rw True False False -
private_0x00007ff609cb8000 0x7ff609cb8000 0x7ff609cb9fff Private Memory rw True False False -
private_0x00007ff609cba000 0x7ff609cba000 0x7ff609cbbfff Private Memory rw True False False -
private_0x00007ff609cbc000 0x7ff609cbc000 0x7ff609cbdfff Private Memory rw True False False -
private_0x00007ff609cbe000 0x7ff609cbe000 0x7ff609cbefff Private Memory rw True False False -
runtimebroker.exe 0x7ff60a170000 0x7ff60a185fff Memory Mapped File rwx False False False -
private_0x00007ff6d3e70000 0x7ff6d3e70000 0x7ff6d4205fff Private Memory rwx True False False -
ntoskrnl.exe 0x7ff6efa30000 0x7ff6f0281fff Memory Mapped File rwx False False False -
windows.storage.search.dll 0x7ffc3ed00000 0x7ffc3edcafff Memory Mapped File rwx False False False -
structuredquery.dll 0x7ffc3edd0000 0x7ffc3ee86fff Memory Mapped File rwx False False False -
windows.networking.hostname.dll 0x7ffc42260000 0x7ffc42297fff Memory Mapped File rwx False False False -
windows.internal.shell.broker.dll 0x7ffc44180000 0x7ffc44211fff Memory Mapped File rwx False False False -
windows.networking.connectivity.dll 0x7ffc469c0000 0x7ffc46a6bfff Memory Mapped File rwx False False False -
wwapi.dll 0x7ffc46cf0000 0x7ffc46d05fff Memory Mapped File rwx False False False -
tokenbroker.dll 0x7ffc486a0000 0x7ffc48765fff Memory Mapped File rwx False False False -
edputil.dll 0x7ffc48f90000 0x7ffc48fbefff Memory Mapped File rwx False False False -
actxprxy.dll 0x7ffc48ff0000 0x7ffc49459fff Memory Mapped File rwx False False False -
execmodelclient.dll 0x7ffc4b030000 0x7ffc4b072fff Memory Mapped File rwx False False False -
npmproxy.dll 0x7ffc4b090000 0x7ffc4b09dfff Memory Mapped File rwx False False False -
wlanapi.dll 0x7ffc4b170000 0x7ffc4b1cefff Memory Mapped File rwx False False False -
netprofm.dll 0x7ffc4c220000 0x7ffc4c25efff Memory Mapped File rwx False False False -
idstore.dll 0x7ffc4cf00000 0x7ffc4cf26fff Memory Mapped File rwx False False False -
windows.ui.immersive.dll 0x7ffc4dc10000 0x7ffc4ddc6fff Memory Mapped File rwx False False False -
iertutil.dll 0x7ffc4ddd0000 0x7ffc4e145fff Memory Mapped File rwx False False False -
mrmcorer.dll 0x7ffc4f1f0000 0x7ffc4f2fefff Memory Mapped File rwx False False False -
msvcp110_win.dll 0x7ffc4f8f0000 0x7ffc4f981fff Memory Mapped File rwx False False False -
policymanager.dll 0x7ffc4f990000 0x7ffc4f9c8fff Memory Mapped File rwx False False False -
xmllite.dll 0x7ffc4fb00000 0x7ffc4fb35fff Memory Mapped File rwx False False False -
samlib.dll 0x7ffc50bd0000 0x7ffc50bebfff Memory Mapped File rwx False False False -
wintypes.dll 0x7ffc50c00000 0x7ffc50d30fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
propsys.dll 0x7ffc511b0000 0x7ffc51332fff Memory Mapped File rwx False False False -
mmdevapi.dll 0x7ffc51340000 0x7ffc513b1fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
winnsi.dll 0x7ffc51c30000 0x7ffc51c3afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7ffc51c50000 0x7ffc51c87fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7ffc52640000 0x7ffc52652fff Memory Mapped File rwx False False False -
coremessaging.dll 0x7ffc52730000 0x7ffc527f7fff Memory Mapped File rwx False False False -
sppc.dll 0x7ffc52bd0000 0x7ffc52bf4fff Memory Mapped File rwx False False False -
slc.dll 0x7ffc52c00000 0x7ffc52c25fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7ffc52d70000 0x7ffc52e05fff Memory Mapped File rwx False False False -
devobj.dll 0x7ffc52ef0000 0x7ffc52f16fff Memory Mapped File rwx False False False -
twinapi.appcore.dll 0x7ffc52f40000 0x7ffc5302dfff Memory Mapped File rwx False False False -
mpr.dll 0x7ffc53810000 0x7ffc5382bfff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7ffc53a90000 0x7ffc53ac2fff Memory Mapped File rwx False False False -
userenv.dll 0x7ffc53b80000 0x7ffc53b9efff Memory Mapped File rwx False False False -
cryptsp.dll 0x7ffc54210000 0x7ffc54226fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7ffc54280000 0x7ffc5428afff Memory Mapped File rwx False False False -
sspicli.dll 0x7ffc54320000 0x7ffc5434bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7ffc543d0000 0x7ffc5443afff Memory Mapped File rwx False False False -
sxs.dll 0x7ffc54440000 0x7ffc544d7fff Memory Mapped File rwx False False False -
profapi.dll 0x7ffc54580000 0x7ffc54592fff Memory Mapped File rwx False False False -
powrprof.dll 0x7ffc545a0000 0x7ffc545e9fff Memory Mapped File rwx False False False -
msasn1.dll 0x7ffc545f0000 0x7ffc54600fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7ffc54610000 0x7ffc5461efff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7ffc54620000 0x7ffc54663fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7ffc54670000 0x7ffc54c97fff Memory Mapped File rwx False False False -
crypt32.dll 0x7ffc54db0000 0x7ffc54f70fff Memory Mapped File rwx False False False -
shcore.dll 0x7ffc54f80000 0x7ffc55032fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
imm32.dll 0x7ffc55280000 0x7ffc552b5fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
msctf.dll 0x7ffc55380000 0x7ffc554dbfff Memory Mapped File rwx False False False -
user32.dll 0x7ffc554e0000 0x7ffc5562dfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7ffc55910000 0x7ffc559cdfff Memory Mapped File rwx False False False -
shell32.dll 0x7ffc559d0000 0x7ffc56ef4fff Memory Mapped File rwx False False False -
nsi.dll 0x7ffc56f00000 0x7ffc56f07fff Memory Mapped File rwx False False False -
gdi32.dll 0x7ffc56f10000 0x7ffc57094fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
combase.dll 0x7ffc571d0000 0x7ffc5744bfff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ole32.dll 0x7ffc57750000 0x7ffc57890fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7ffc578a0000 0x7ffc578f0fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7ffc57970000 0x7ffc57a14fff Memory Mapped File rwx False False False -
advapi32.dll 0x7ffc57aa0000 0x7ffc57b45fff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #2: c:\users\public\mksmd.exe 0x6b4 address = 0x7ff6d3e70000, size = 3760128 True 1
Fn
Data
Create Remote Thread #2: c:\users\public\mksmd.exe 0x6b4 address = 0x7ff6d3e72870 True 1
Fn
Host Behavior
File (4)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN False 3
Fn
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x7ffc55800000 True 1
Fn
Load mpr.dll base_address = 0x7ffc53810000 True 1
Fn
Load advapi32.dll base_address = 0x7ffc57aa0000 True 1
Fn
Load ole32.dll base_address = 0x7ffc57750000 True 1
Fn
Load Shell32.dll base_address = 0x7ffc559d0000 True 1
Fn
Load Iphlpapi.dll base_address = 0x7ffc51c50000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x7ffc55822080 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x7ffc55816060 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualFree, address_out = 0x7ffc5581bc10 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptExportKey, address_out = 0x7ffc57ab7b50 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileW, address_out = 0x7ffc558257a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDriveTypeW, address_out = 0x7ffc558258f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineW, address_out = 0x7ffc55820150 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x7ffc5581ed80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileW, address_out = 0x7ffc55825880 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x7ffc5581baf0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7ffc57acec40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x7ffc5581ef50 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64RevertWow64FsRedirection, address_out = 0x7ffc558436a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessA, address_out = 0x7ffc5581d5b0 True 1
Fn
Get Address c:\windows\system32\iphlpapi.dll function = GetIpNetTable, address_out = 0x7ffc51c6f0b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExW, address_out = 0x7ffc5581aa30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64DisableWow64FsRedirection, address_out = 0x7ffc55843690 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemDefaultLangID, address_out = 0x7ffc55822ba0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameW, address_out = 0x7ffc57abda40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x7ffc55825a90 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7ffc57ab7dd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x7ffc55825510 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegSetValueExW, address_out = 0x7ffc57ab7850 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7ffc57ab72e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileA, address_out = 0x7ffc5583e430 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesW, address_out = 0x7ffc55825b00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WinExec, address_out = 0x7ffc55841e60 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDeriveKey, address_out = 0x7ffc57ad07a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGenKey, address_out = 0x7ffc57abcab0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Sleep, address_out = 0x7ffc55818f00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x7ffc55816580 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteW, address_out = 0x7ffc55b1abc0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x7ffc55825950 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x7ffc5581b810 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x7ffc558257c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForMultipleObjects, address_out = 0x7ffc558256e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x7ffc55820c70 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x7ffc55bd7de0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x7ffc5581e6d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameW, address_out = 0x7ffc5581eca0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x7ffc55825760 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSizeEx, address_out = 0x7ffc55825960 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x7ffc55825b80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalDrives, address_out = 0x7ffc558166d0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetEnumResourceW, address_out = 0x7ffc538127d0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExW, address_out = 0x7ffc57ab6cb0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetCloseEnum, address_out = 0x7ffc53812e20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x7ffc55822940 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesA, address_out = 0x7ffc55825af0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7ffc57ab7d70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x7ffc55825b20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount, address_out = 0x7ffc558160a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesW, address_out = 0x7ffc55825930 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileW, address_out = 0x7ffc55825840 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextW, address_out = 0x7ffc57ab89e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MoveFileExW, address_out = 0x7ffc55823010 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetOpenEnumW, address_out = 0x7ffc53812f20 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7ffc57763870 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDecrypt, address_out = 0x7ffc57ab9140 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptImportKey, address_out = 0x7ffc57ab7b40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x7ffc55825b30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileW, address_out = 0x7ffc55825d70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x7ffc5581eb90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessW, address_out = 0x7ffc5581dee0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateDirectoryW, address_out = 0x7ffc55825740 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThread, address_out = 0x7ffc5581bc20 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyKey, address_out = 0x7ffc57ab86b0 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7ffc57257000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x7ffc55825770 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x7ffc55825900 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptEncrypt, address_out = 0x7ffc57abd7e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteValueW, address_out = 0x7ffc57ab90b0 True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
System (9)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
Sleep duration = 25000 milliseconds (25.000 seconds) True 3
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 4
Fn
Process #10: net.exe
0 0
»
Information Value
ID #10
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:02:10, Reason: Self Terminated
Monitor Duration 00:00:06
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd34
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D58
0x C5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000b25c150000 0xb25c150000 0xb25c16ffff Private Memory rw True False False -
pagefile_0x000000b25c150000 0xb25c150000 0xb25c15ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000b25c170000 0xb25c170000 0xb25c183fff Pagefile Backed Memory r True False False -
private_0x000000b25c190000 0xb25c190000 0xb25c20ffff Private Memory rw True False False -
pagefile_0x000000b25c210000 0xb25c210000 0xb25c213fff Pagefile Backed Memory r True False False -
pagefile_0x000000b25c220000 0xb25c220000 0xb25c220fff Pagefile Backed Memory r True False False -
private_0x000000b25c230000 0xb25c230000 0xb25c231fff Private Memory rw True False False -
private_0x000000b25c300000 0xb25c300000 0xb25c3fffff Private Memory rw True False False -
pagefile_0x00007df5ff150000 0x7df5ff150000 0x7ff5ff14ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff705d40000 0x7ff705d40000 0x7ff705e3ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff705e40000 0x7ff705e40000 0x7ff705e62fff Pagefile Backed Memory r True False False -
private_0x00007ff705e6d000 0x7ff705e6d000 0x7ff705e6efff Private Memory rw True False False -
private_0x00007ff705e6f000 0x7ff705e6f000 0x7ff705e6ffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #12: shellexperiencehost.exe
86 0
»
Information Value
ID #12
File Name c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
Command Line "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
Initial Working Directory C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\
Monitor Start Time: 00:02:06, Reason: Injection
Unmonitor End Time: 00:03:00, Reason: Crashed
Monitor Duration 00:00:54
OS Process Information
»
Information Value
PID 0x980
Parent PID 0x23c (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Low
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D30
0x 2C8
0x B84
0x C54
0x C08
0x C20
0x C10
0x 2E0
0x BFC
0x BF4
0x BF0
0x BEC
0x BE8
0x BE4
0x BE0
0x BDC
0x BD8
0x BD4
0x BD0
0x BCC
0x BC8
0x BC4
0x BC0
0x BBC
0x BB8
0x BB4
0x BB0
0x BA0
0x B9C
0x B98
0x B94
0x B34
0x B1C
0x B0C
0x 9D0
0x 9C8
0x 9C4
0x 9C0
0x 9BC
0x 9B0
0x 9AC
0x 9A8
0x 9A4
0x 9A0
0x 99C
0x 998
0x 994
0x 990
0x 984
0x CB4
0x D6C
0x D70
0x C68
0x C6C
0x A90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
pagefile_0x000000da54c90000 0xda54c90000 0xda54c9ffff Pagefile Backed Memory rw True False False -
private_0x000000da54ca0000 0xda54ca0000 0xda54ca0fff Private Memory rw True False False -
pagefile_0x000000da54cb0000 0xda54cb0000 0xda54cc3fff Pagefile Backed Memory r True False False -
private_0x000000da54cd0000 0xda54cd0000 0xda54dcffff Private Memory rw True False False -
pagefile_0x000000da54dd0000 0xda54dd0000 0xda54dd3fff Pagefile Backed Memory r True False False -
private_0x000000da54de0000 0xda54de0000 0xda54de1fff Private Memory rw True False False -
private_0x000000da54df0000 0xda54df0000 0xda54df0fff Private Memory rw True False False -
pagefile_0x000000da54e00000 0xda54e00000 0xda54e29fff Pagefile Backed Memory rw True False False -
pagefile_0x000000da54e30000 0xda54e30000 0xda54e30fff Pagefile Backed Memory r True False False -
pagefile_0x000000da54e40000 0xda54e40000 0xda54e40fff Pagefile Backed Memory rw True False False -
pagefile_0x000000da54e50000 0xda54e50000 0xda54e50fff Pagefile Backed Memory rw True False False -
2504515037.pri 0xda54e60000 0xda54e6bfff Memory Mapped File r True False False -
pagefile_0x000000da54e70000 0xda54e70000 0xda54e70fff Pagefile Backed Memory rw True False False -
private_0x000000da54e80000 0xda54e80000 0xda54e86fff Private Memory rw True False False -
private_0x000000da54e90000 0xda54e90000 0xda54e90fff Private Memory rw True False False -
private_0x000000da54ea0000 0xda54ea0000 0xda54ea0fff Private Memory rw True False False -
pagefile_0x000000da54eb0000 0xda54eb0000 0xda54eb0fff Pagefile Backed Memory rw True False False -
pagefile_0x000000da54ec0000 0xda54ec0000 0xda54ec0fff Pagefile Backed Memory rw True False False -
resources.en-us.pri 0xda54ed0000 0xda54edcfff Memory Mapped File r False False False -
pagefile_0x000000da54ee0000 0xda54ee0000 0xda54ee1fff Pagefile Backed Memory rw True False False -
windows.ui.xaml.dll.mui 0xda54ef0000 0xda54ef9fff Memory Mapped File r False False False -
private_0x000000da54f00000 0xda54f00000 0xda54ffffff Private Memory rw True False False -
locale.nls 0xda55000000 0xda550bdfff Memory Mapped File r False False False -
private_0x000000da550c0000 0xda550c0000 0xda551bffff Private Memory rw True False False -
pagefile_0x000000da551c0000 0xda551c0000 0xda55347fff Pagefile Backed Memory r True False False -
pagefile_0x000000da55350000 0xda55350000 0xda5535ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000da55360000 0xda55360000 0xda5536ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000da55370000 0xda55370000 0xda5537ffff Pagefile Backed Memory rw True False False -
tilecache_100_0_header.bin 0xda55380000 0xda55382fff Memory Mapped File rw True False False -
private_0x000000da55390000 0xda55390000 0xda55390fff Private Memory rw True False False -
pagefile_0x000000da553a0000 0xda553a0000 0xda553a3fff Pagefile Backed Memory rw True False False -
private_0x000000da553b0000 0xda553b0000 0xda553b6fff Private Memory rw True False False -
pagefile_0x000000da553c0000 0xda553c0000 0xda553f1fff Pagefile Backed Memory rw True False False -
private_0x000000da55400000 0xda55400000 0xda554fffff Private Memory rw True False False -
pagefile_0x000000da55500000 0xda55500000 0xda55680fff Pagefile Backed Memory r True False False -
pagefile_0x000000da55690000 0xda55690000 0xda56a8ffff Pagefile Backed Memory r True False False -
private_0x000000da56a90000 0xda56a90000 0xda56b8ffff Private Memory rw True False False -
windows.ui.xaml.resources.dll 0xda56b90000 0xda56cc6fff Memory Mapped File r False False False -
kernelbase.dll.mui 0xda56cd0000 0xda56daefff Memory Mapped File r False False False -
sortdefault.nls 0xda56db0000 0xda570e6fff Memory Mapped File r False False False -
private_0x000000da570f0000 0xda570f0000 0xda571effff Private Memory rw True False False -
private_0x000000da571f0000 0xda571f0000 0xda572effff Private Memory rw True False False -
private_0x000000da572f0000 0xda572f0000 0xda573effff Private Memory rw True False False -
private_0x000000da573f0000 0xda573f0000 0xda574effff Private Memory rw True False False -
private_0x000000da574f0000 0xda574f0000 0xda575effff Private Memory rw True False False -
private_0x000000da575f0000 0xda575f0000 0xda575f0fff Private Memory rw True False False -
pagefile_0x000000da57600000 0xda57600000 0xda57603fff Pagefile Backed Memory rw True False False -
private_0x000000da57610000 0xda57610000 0xda57616fff Private Memory rw True False False -
resources.pri 0xda57620000 0xda576f3fff Memory Mapped File r False False False -
private_0x000000da57700000 0xda57700000 0xda577fffff Private Memory rw True False False -
private_0x000000da57800000 0xda57800000 0xda57ffffff Private Memory - True False False -
private_0x000000da58000000 0xda58000000 0xda580fffff Private Memory rw True False False -
private_0x000000da58100000 0xda58100000 0xda581fffff Private Memory rw True False False -
private_0x000000da58200000 0xda58200000 0xda582fffff Private Memory rw True False False -
private_0x000000da58300000 0xda58300000 0xda583fffff Private Memory rw True False False -
private_0x000000da58400000 0xda58400000 0xda584fffff Private Memory rw True False False -
private_0x000000da58500000 0xda58500000 0xda585fffff Private Memory rw True False False -
private_0x000000da58600000 0xda58600000 0xda586fffff Private Memory rw True False False -
private_0x000000da58700000 0xda58700000 0xda587fffff Private Memory rw True False False -
private_0x000000da58800000 0xda58800000 0xda588fffff Private Memory rw True False False -
private_0x000000da58900000 0xda58900000 0xda589fffff Private Memory rw True False False -
private_0x000000da58a00000 0xda58a00000 0xda58afffff Private Memory rw True False False -
private_0x000000da58b00000 0xda58b00000 0xda58bfffff Private Memory rw True False False -
private_0x000000da58c00000 0xda58c00000 0xda58cfffff Private Memory rw True False False -
private_0x000000da58d00000 0xda58d00000 0xda58dfffff Private Memory rw True False False -
private_0x000000da58e00000 0xda58e00000 0xda58efffff Private Memory rw True False False -
private_0x000000da58f00000 0xda58f00000 0xda58ffffff Private Memory rw True False False -
private_0x000000da59000000 0xda59000000 0xda590fffff Private Memory rw True False False -
private_0x000000da59100000 0xda59100000 0xda591fffff Private Memory rw True False False -
private_0x000000da59200000 0xda59200000 0xda59200fff Private Memory rw True False False -
private_0x000000da59220000 0xda59220000 0xda59220fff Private Memory rw True False False -
private_0x000000da59230000 0xda59230000 0xda59230fff Private Memory rw True False False -
pagefile_0x000000da59240000 0xda59240000 0xda59243fff Pagefile Backed Memory rw True False False -
private_0x000000da59250000 0xda59250000 0xda59250fff Private Memory rw True False False -
pagefile_0x000000da59260000 0xda59260000 0xda59263fff Pagefile Backed Memory rw True False False -
private_0x000000da59270000 0xda59270000 0xda59276fff Private Memory rw True False False -
~fontcache-system.dat 0xda59280000 0xda592f5fff Memory Mapped File r False False False -
private_0x000000da59300000 0xda59300000 0xda593fffff Private Memory rw True False False -
segoeui.ttf 0xda59400000 0xda594defff Memory Mapped File r False False False -
private_0x000000da594e0000 0xda594e0000 0xda594e6fff Private Memory rw True False False -
pagefile_0x000000da594f0000 0xda594f0000 0xda594f3fff Pagefile Backed Memory rw True False False -
private_0x000000da59500000 0xda59500000 0xda595fffff Private Memory rw True False False -
~fontcache-fontface.dat 0xda59600000 0xda5a5fffff Memory Mapped File r False False False -
~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat 0xda5a600000 0xda5adfffff Memory Mapped File r False False False -
private_0x000000da5ae00000 0xda5ae00000 0xda5aefffff Private Memory rw True False False -
private_0x000000da5af00000 0xda5af00000 0xda5affffff Private Memory rw True False False -
private_0x000000da5b000000 0xda5b000000 0xda5b0fffff Private Memory rw True False False -
tilecache_100_0_data.bin 0xda5b100000 0xda5b1fffff Memory Mapped File rw True False False -
pagefile_0x000000da5b200000 0xda5b200000 0xda5b4bffff Pagefile Backed Memory rw True False False -
private_0x000000da5b4c0000 0xda5b4c0000 0xda5b5bffff Private Memory rw True False False -
private_0x000000da5b5c0000 0xda5b5c0000 0xda5b6bffff Private Memory rw True False False -
msxml6r.dll 0xda5b6c0000 0xda5b6c0fff Memory Mapped File r False False False -
private_0x000000da5b700000 0xda5b700000 0xda5b7fffff Private Memory rw True False False -
private_0x000000da5b800000 0xda5b800000 0xda5b8fffff Private Memory rw True False False -
private_0x000000da5b900000 0xda5b900000 0xda5b97ffff Private Memory rw True False False -
private_0x000000da5ba00000 0xda5ba00000 0xda5bafffff Private Memory rw True False False -
private_0x000000da5bb00000 0xda5bb00000 0xda5bbfffff Private Memory rw True False False -
private_0x000000da5bc00000 0xda5bc00000 0xda5bcfffff Private Memory rw True False False -
private_0x000000da5bd00000 0xda5bd00000 0xda5bdfffff Private Memory rw True False False -
private_0x000000da5be00000 0xda5be00000 0xda5befffff Private Memory rw True False False -
private_0x000000da5bf00000 0xda5bf00000 0xda5bffffff Private Memory rw True False False -
private_0x000000da5c000000 0xda5c000000 0xda5c0fffff Private Memory rw True False False -
private_0x000000da5c100000 0xda5c100000 0xda5c1fffff Private Memory rw True False False -
private_0x000000da5c200000 0xda5c200000 0xda5c2fffff Private Memory rw True False False -
private_0x000000da5c300000 0xda5c300000 0xda5c3fffff Private Memory rw True False False -
private_0x000000da5c400000 0xda5c400000 0xda5c4fffff Private Memory rw True False False -
private_0x000000da5c500000 0xda5c500000 0xda5c5fffff Private Memory rw True False False -
private_0x000000da5c600000 0xda5c600000 0xda5c6fffff Private Memory rw True False False -
private_0x000000da5c700000 0xda5c700000 0xda5c7fffff Private Memory rw True False False -
private_0x000000da5c800000 0xda5c800000 0xda5c8fffff Private Memory rw True False False -
private_0x000000da5c900000 0xda5c900000 0xda5c9fffff Private Memory rw True False False -
private_0x000000da5ca00000 0xda5ca00000 0xda5cafffff Private Memory rw True False False -
private_0x000000da5cb00000 0xda5cb00000 0xda5cbfffff Private Memory rw True False False -
private_0x000000da5cc00000 0xda5cc00000 0xda5ccfffff Private Memory rw True False False -
private_0x000000da5cd00000 0xda5cd00000 0xda5cdfffff Private Memory rw True False False -
private_0x000000da5ce00000 0xda5ce00000 0xda5cefffff Private Memory rw True False False -
private_0x000000da5cf00000 0xda5cf00000 0xda5cffffff Private Memory rw True False False -
private_0x000000da5d000000 0xda5d000000 0xda5d0fffff Private Memory rw True False False -
private_0x000000da5d1d0000 0xda5d1d0000 0xda5d1d6fff Private Memory rw True False False -
private_0x000000da5d200000 0xda5d200000 0xda5d2fffff Private Memory rw True False False -
private_0x000000da5d300000 0xda5d300000 0xda5d3fffff Private Memory rw True False False -
private_0x000000da5d400000 0xda5d400000 0xda5d4fffff Private Memory rw True False False -
private_0x000000da5d500000 0xda5d500000 0xda5d5fffff Private Memory rw True False False -
private_0x000000da5d600000 0xda5d600000 0xda5d6fffff Private Memory rw True False False -
private_0x00007ff631eca000 0x7ff631eca000 0x7ff631ecbfff Private Memory rw True False False -
private_0x00007ff631ecc000 0x7ff631ecc000 0x7ff631ecdfff Private Memory rw True False False -
private_0x00007ff631ece000 0x7ff631ece000 0x7ff631ecffff Private Memory rw True False False -
private_0x00007ff631ed0000 0x7ff631ed0000 0x7ff631ed1fff Private Memory rw True False False -
private_0x00007ff631ed2000 0x7ff631ed2000 0x7ff631ed3fff Private Memory rw True False False -
private_0x00007ff631ed4000 0x7ff631ed4000 0x7ff631ed5fff Private Memory rw True False False -
private_0x00007ff631ed6000 0x7ff631ed6000 0x7ff631ed7fff Private Memory rw True False False -
private_0x00007ff631ed8000 0x7ff631ed8000 0x7ff631ed9fff Private Memory rw True False False -
private_0x00007ff631eda000 0x7ff631eda000 0x7ff631edbfff Private Memory rw True False False -
private_0x00007ff631edc000 0x7ff631edc000 0x7ff631eddfff Private Memory rw True False False -
private_0x00007ff631ede000 0x7ff631ede000 0x7ff631edffff Private Memory rw True False False -
private_0x00007ff631ee0000 0x7ff631ee0000 0x7ff631ee1fff Private Memory rw True False False -
private_0x00007ff631ee2000 0x7ff631ee2000 0x7ff631ee3fff Private Memory rw True False False -
private_0x00007ff631ee4000 0x7ff631ee4000 0x7ff631ee5fff Private Memory rw True False False -
private_0x00007ff631ee6000 0x7ff631ee6000 0x7ff631ee7fff Private Memory rw True False False -
private_0x00007ff631ee8000 0x7ff631ee8000 0x7ff631ee9fff Private Memory rw True False False -
private_0x00007ff631eea000 0x7ff631eea000 0x7ff631eebfff Private Memory rw True False False -
private_0x00007ff631eec000 0x7ff631eec000 0x7ff631eedfff Private Memory rw True False False -
private_0x00007ff631eee000 0x7ff631eee000 0x7ff631eeffff Private Memory rw True False False -
private_0x00007ff631ef0000 0x7ff631ef0000 0x7ff631ef1fff Private Memory rw True False False -
private_0x00007ff631ef2000 0x7ff631ef2000 0x7ff631ef3fff Private Memory rw True False False -
private_0x00007ff631ef4000 0x7ff631ef4000 0x7ff631ef5fff Private Memory rw True False False -
private_0x00007ff631ef6000 0x7ff631ef6000 0x7ff631ef7fff Private Memory rw True False False -
private_0x00007ff631ef8000 0x7ff631ef8000 0x7ff631ef9fff Private Memory rw True False False -
private_0x00007ff631efa000 0x7ff631efa000 0x7ff631efbfff Private Memory rw True False False -
For performance reasons, the remaining 135 entries are omitted.
The remaining entries can be found in flog.txt.
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #2: c:\users\public\mksmd.exe 0x6b4 address = 0x7ff6d3e70000, size = 3760128 True 1
Fn
Data
Create Remote Thread #2: c:\users\public\mksmd.exe 0x6b4 address = 0x7ff6d3e72870 True 1
Fn
Host Behavior
File (2)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN False 1
Fn
Create C:\users\Public\sys desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN False 1
Fn
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x7ffc55800000 True 1
Fn
Load mpr.dll base_address = 0x7ffc53810000 True 1
Fn
Load advapi32.dll base_address = 0x7ffc57aa0000 True 1
Fn
Load ole32.dll base_address = 0x7ffc57750000 True 1
Fn
Load Shell32.dll base_address = 0x7ffc559d0000 True 1
Fn
Load Iphlpapi.dll base_address = 0x7ffc51c50000 True 1
Fn
Get Address Unknown module name function = LoadLibraryA, address_out = 0x7ffc55822080 True 1
Fn
Get Address Unknown module name function = GetLastError, address_out = 0x7ffc55816060 True 1
Fn
Get Address Unknown module name function = VirtualFree, address_out = 0x7ffc5581bc10 True 1
Fn
Get Address Unknown module name function = CryptExportKey, address_out = 0x7ffc57ab7b50 True 1
Fn
Get Address Unknown module name function = DeleteFileW, address_out = 0x7ffc558257a0 True 1
Fn
Get Address Unknown module name function = GetDriveTypeW, address_out = 0x7ffc558258f0 True 1
Fn
Get Address Unknown module name function = GetCommandLineW, address_out = 0x7ffc55820150 True 1
Fn
Get Address Unknown module name function = GetStartupInfoW, address_out = 0x7ffc5581ed80 True 1
Fn
Get Address Unknown module name function = FindNextFileW, address_out = 0x7ffc55825880 True 1
Fn
Get Address Unknown module name function = VirtualAlloc, address_out = 0x7ffc5581baf0 True 1
Fn
Get Address Unknown module name function = GetUserNameA, address_out = 0x7ffc57acec40 True 1
Fn
Get Address Unknown module name function = ExitProcess, address_out = 0x7ffc5581ef50 True 1
Fn
Get Address Unknown module name function = Wow64RevertWow64FsRedirection, address_out = 0x7ffc558436a0 True 1
Fn
Get Address Unknown module name function = CreateProcessA, address_out = 0x7ffc5581d5b0 True 1
Fn
Get Address Unknown module name function = GetIpNetTable, address_out = 0x7ffc51c6f0b0 True 1
Fn
Get Address Unknown module name function = GetVersionExW, address_out = 0x7ffc5581aa30 True 1
Fn
Get Address Unknown module name function = Wow64DisableWow64FsRedirection, address_out = 0x7ffc55843690 True 1
Fn
Get Address Unknown module name function = GetSystemDefaultLangID, address_out = 0x7ffc55822ba0 True 1
Fn
Get Address Unknown module name function = GetUserNameW, address_out = 0x7ffc57abda40 True 1
Fn
Get Address Unknown module name function = ReadFile, address_out = 0x7ffc55825a90 True 1
Fn
Get Address Unknown module name function = RegQueryValueExA, address_out = 0x7ffc57ab7dd0 True 1
Fn
Get Address Unknown module name function = CloseHandle, address_out = 0x7ffc55825510 True 1
Fn
Get Address Unknown module name function = RegSetValueExW, address_out = 0x7ffc57ab7850 True 1
Fn
Get Address Unknown module name function = RegCloseKey, address_out = 0x7ffc57ab72e0 True 1
Fn
Get Address Unknown module name function = CopyFileA, address_out = 0x7ffc5583e430 True 1
Fn
Get Address Unknown module name function = SetFileAttributesW, address_out = 0x7ffc55825b00 True 1
Fn
Get Address Unknown module name function = WinExec, address_out = 0x7ffc55841e60 True 1
Fn
Get Address Unknown module name function = CryptDeriveKey, address_out = 0x7ffc57ad07a0 True 1
Fn
Get Address Unknown module name function = CryptGenKey, address_out = 0x7ffc57abcab0 True 1
Fn
Get Address Unknown module name function = Sleep, address_out = 0x7ffc55818f00 True 1
Fn
Get Address Unknown module name function = GetCurrentProcess, address_out = 0x7ffc55816580 True 1
Fn
Get Address Unknown module name function = ShellExecuteW, address_out = 0x7ffc55b1abc0 True 1
Fn
Get Address Unknown module name function = GetFileSize, address_out = 0x7ffc55825950 True 1
Fn
Get Address Unknown module name function = GlobalAlloc, address_out = 0x7ffc5581b810 True 1
Fn
Get Address Unknown module name function = FindClose, address_out = 0x7ffc558257c0 True 1
Fn
Get Address Unknown module name function = WaitForMultipleObjects, address_out = 0x7ffc558256e0 True 1
Fn
Get Address Unknown module name function = GetModuleFileNameA, address_out = 0x7ffc55820c70 True 1
Fn
Get Address Unknown module name function = ShellExecuteA, address_out = 0x7ffc55bd7de0 True 1
Fn
Get Address Unknown module name function = GetModuleHandleA, address_out = 0x7ffc5581e6d0 True 1
Fn
Get Address Unknown module name function = GetModuleFileNameW, address_out = 0x7ffc5581eca0 True 1
Fn
Get Address Unknown module name function = CreateFileA, address_out = 0x7ffc55825760 True 1
Fn
Get Address Unknown module name function = GetFileSizeEx, address_out = 0x7ffc55825960 True 1
Fn
Get Address Unknown module name function = WriteFile, address_out = 0x7ffc55825b80 True 1
Fn
Get Address Unknown module name function = GetLogicalDrives, address_out = 0x7ffc558166d0 True 1
Fn
Get Address Unknown module name function = WNetEnumResourceW, address_out = 0x7ffc538127d0 True 1
Fn
Get Address Unknown module name function = RegOpenKeyExW, address_out = 0x7ffc57ab6cb0 True 1
Fn
Get Address Unknown module name function = WNetCloseEnum, address_out = 0x7ffc53812e20 True 1
Fn
Get Address Unknown module name function = GetWindowsDirectoryW, address_out = 0x7ffc55822940 True 1
Fn
Get Address Unknown module name function = SetFileAttributesA, address_out = 0x7ffc55825af0 True 1
Fn
Get Address Unknown module name function = RegOpenKeyExA, address_out = 0x7ffc57ab7d70 True 1
Fn
Get Address Unknown module name function = SetFilePointer, address_out = 0x7ffc55825b20 True 1
Fn
Get Address Unknown module name function = GetTickCount, address_out = 0x7ffc558160a0 True 1
Fn
Get Address Unknown module name function = GetFileAttributesW, address_out = 0x7ffc55825930 True 1
Fn
Get Address Unknown module name function = FindFirstFileW, address_out = 0x7ffc55825840 True 1
Fn
Get Address Unknown module name function = CryptAcquireContextW, address_out = 0x7ffc57ab89e0 True 1
Fn
Get Address Unknown module name function = MoveFileExW, address_out = 0x7ffc55823010 True 1
Fn
Get Address Unknown module name function = WNetOpenEnumW, address_out = 0x7ffc53812f20 True 1
Fn
Get Address Unknown module name function = CoInitialize, address_out = 0x7ffc57763870 True 1
Fn
Get Address Unknown module name function = CryptDecrypt, address_out = 0x7ffc57ab9140 True 1
Fn
Get Address Unknown module name function = CryptImportKey, address_out = 0x7ffc57ab7b40 True 1
Fn
Get Address Unknown module name function = SetFilePointerEx, address_out = 0x7ffc55825b30 True 1
Fn
Get Address Unknown module name function = CopyFileW, address_out = 0x7ffc55825d70 True 1
Fn
Get Address Unknown module name function = FreeLibrary, address_out = 0x7ffc5581eb90 True 1
Fn
Get Address Unknown module name function = CreateProcessW, address_out = 0x7ffc5581dee0 True 1
Fn
Get Address Unknown module name function = CreateDirectoryW, address_out = 0x7ffc55825740 True 1
Fn
Get Address Unknown module name function = CreateThread, address_out = 0x7ffc5581bc20 True 1
Fn
Get Address Unknown module name function = CryptDestroyKey, address_out = 0x7ffc57ab86b0 True 1
Fn
Get Address Unknown module name function = CoCreateInstance, address_out = 0x7ffc57257000 True 1
Fn
Get Address Unknown module name function = CreateFileW, address_out = 0x7ffc55825770 True 1
Fn
Get Address Unknown module name function = GetFileAttributesA, address_out = 0x7ffc55825900 True 1
Fn
Get Address Unknown module name function = CryptEncrypt, address_out = 0x7ffc57abd7e0 True 1
Fn
Get Address Unknown module name function = RegDeleteValueW, address_out = 0x7ffc57ab90b0 True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Process #13: searchui.exe
86 0
»
Information Value
ID #13
File Name c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe
Command Line "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
Initial Working Directory C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\
Monitor Start Time: 00:02:08, Reason: Injection
Unmonitor End Time: 00:03:28, Reason: Crashed
Monitor Duration 00:01:20
OS Process Information
»
Information Value
PID 0x9e4
Parent PID 0x23c (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Low
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 84
0x 870
0x 8C0
0x B28
0x B14
0x B08
0x B04
0x B00
0x AFC
0x AF8
0x AF0
0x AC0
0x ABC
0x AB8
0x AAC
0x AA8
0x AA4
0x AA0
0x A9C
0x A98
0x A88
0x A28
0x A24
0x A20
0x A18
0x A14
0x A0C
0x A08
0x A04
0x A00
0x 9FC
0x 9F8
0x 9F4
0x 9F0
0x 9E8
0x D60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
pagefile_0x000000ae80000000 0xae80000000 0xae80180fff Pagefile Backed Memory r True False False -
pagefile_0x000000ae80190000 0xae80190000 0xae8158ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0xae81590000 0xae8166efff Memory Mapped File r False False False -
private_0x000000ae81670000 0xae81670000 0xae8176ffff Private Memory rw True False False -
sortdefault.nls 0xae81770000 0xae81aa6fff Memory Mapped File r False False False -
private_0x000000ae81ab0000 0xae81ab0000 0xae81baffff Private Memory rw True False False -
private_0x000000ae81bb0000 0xae81bb0000 0xae81caffff Private Memory rw True False False -
private_0x000000ae81cb0000 0xae81cb0000 0xae81daffff Private Memory rw True False False -
private_0x000000ae81db0000 0xae81db0000 0xae81eaffff Private Memory rw True False False -
private_0x000000ae81eb0000 0xae81eb0000 0xae81faffff Private Memory rw True False False -
private_0x000000ae81fb0000 0xae81fb0000 0xae820affff Private Memory rw True False False -
private_0x000000ae820b0000 0xae820b0000 0xae821affff Private Memory rw True False False -
pagefile_0x000000ae821b0000 0xae821b0000 0xae821b0fff Pagefile Backed Memory rw True False False -
counters.dat 0xae821c0000 0xae821c0fff Memory Mapped File r True False False -
pagefile_0x000000ae821d0000 0xae821d0000 0xae821d0fff Pagefile Backed Memory rw True False False -
resources.pri 0xae821e0000 0xae82200fff Memory Mapped File r False False False -
2495906576.pri 0xae82210000 0xae82223fff Memory Mapped File r True False False -
pagefile_0x000000ae82230000 0xae82230000 0xae82230fff Pagefile Backed Memory rw True False False -
app.xbf 0xae82240000 0xae82240fff Memory Mapped File r False False False -
pagefile_0x000000ae82250000 0xae82250000 0xae82250fff Pagefile Backed Memory rw True False False -
private_0x000000ae82260000 0xae82260000 0xae82260fff Private Memory rw True False False -
private_0x000000ae82270000 0xae82270000 0xae82270fff Private Memory rw True False False -
pagefile_0x000000ae82280000 0xae82280000 0xae82280fff Pagefile Backed Memory rw True False False -
dictionary.xbf 0xae82290000 0xae82293fff Memory Mapped File r False False False -
private_0x000000ae822a0000 0xae822a0000 0xae822a6fff Private Memory rw True False False -
resources.en-us.pri 0xae822b0000 0xae822c5fff Memory Mapped File r False False False -
reactivecat1themeresources.xbf 0xae822d0000 0xae822d4fff Memory Mapped File r False False False -
speechtextinputthemeresources.xbf 0xae822e0000 0xae822e1fff Memory Mapped File r False False False -
cortanawindow.xbf 0xae822f0000 0xae822f0fff Memory Mapped File r False False False -
private_0x000000ae82300000 0xae82300000 0xae823fffff Private Memory rw True False False -
private_0x000000ae82400000 0xae82400000 0xae824fffff Private Memory rw True False False -
private_0x000000ae82500000 0xae82500000 0xae825fffff Private Memory rw True False False -
private_0x000000ae82600000 0xae82600000 0xae82dfffff Private Memory - True False False -
private_0x000000ae82e00000 0xae82e00000 0xae82efffff Private Memory rw True False False -
private_0x000000ae82f00000 0xae82f00000 0xae82ffffff Private Memory rw True False False -
private_0x000000ae83000000 0xae83000000 0xae830fffff Private Memory rw True False False -
private_0x000000ae83100000 0xae83100000 0xae831fffff Private Memory rw True False False -
private_0x000000ae83200000 0xae83200000 0xae832fffff Private Memory rw True False False -
private_0x000000ae83300000 0xae83300000 0xae833fffff Private Memory rw True False False -
shell32.dll.mui 0xae83400000 0xae83460fff Memory Mapped File r False False False -
chrome.xbf 0xae83470000 0xae83477fff Memory Mapped File r False False False -
pagefile_0x000000ae83480000 0xae83480000 0xae83481fff Pagefile Backed Memory rw True False False -
msxml6r.dll 0xae834a0000 0xae834a0fff Memory Mapped File r False False False -
pagefile_0x000000ae834b0000 0xae834b0000 0xae834b3fff Pagefile Backed Memory r True False False -
homeburgermenucontrol.xbf 0xae834c0000 0xae834c0fff Memory Mapped File r False False False -
private_0x000000ae834d0000 0xae834d0000 0xae834d6fff Private Memory rw True False False -
greetingscontrol.xbf 0xae834e0000 0xae834e1fff Memory Mapped File r False False False -
hostedwebviewcontrol.xbf 0xae834f0000 0xae834f0fff Memory Mapped File r False False False -
private_0x000000ae83500000 0xae83500000 0xae835fffff Private Memory rw True False False -
pagefile_0x000000ae83600000 0xae83600000 0xae836b7fff Pagefile Backed Memory r True False False -
private_0x000000ae836c0000 0xae836c0000 0xae836c6fff Private Memory rw True False False -
speechtextinputcontrol.xbf 0xae836d0000 0xae836d1fff Memory Mapped File r False False False -
searchboxcontrol.xbf 0xae836e0000 0xae836e0fff Memory Mapped File r False False False -
windows.ui.xaml.dll.mui 0xae836f0000 0xae836f9fff Memory Mapped File r False False False -
private_0x000000ae83700000 0xae83700000 0xae837fffff Private Memory rw True False False -
private_0x000000ae83800000 0xae83800000 0xae838fffff Private Memory rw True False False -
private_0x000000ae83900000 0xae83900000 0xae839fffff Private Memory rw True False False -
private_0x000000ae83a00000 0xae83a00000 0xae83afffff Private Memory rw True False False -
~fontcache-system.dat 0xae83b00000 0xae83b75fff Memory Mapped File r False False False -
~fontcache-fontface.dat 0xae83b80000 0xae84b7ffff Memory Mapped File r False False False -
segoeui.ttf 0xae84b80000 0xae84c5efff Memory Mapped File r False False False -
~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat 0xae84c60000 0xae8545ffff Memory Mapped File r False False False -
private_0x000000ae85660000 0xae85660000 0xae85660fff Private Memory rw True False False -
private_0x000000ae85670000 0xae85670000 0xae85670fff Private Memory rw True False False -
pagefile_0x000000ae85680000 0xae85680000 0xae85683fff Pagefile Backed Memory rw True False False -
private_0x000000ae85690000 0xae85690000 0xae856affff Private Memory rw True False False -
private_0x000000ae856b0000 0xae856b0000 0xae856fffff Private Memory rw True False False -
private_0x000000ae85700000 0xae85700000 0xae857fffff Private Memory rw True False False -
private_0x000000ae85800000 0xae85800000 0xae858fffff Private Memory rw True False False -
private_0x000000ae85900000 0xae85900000 0xae85900fff Private Memory rw True False False -
private_0x000000ae85910000 0xae85910000 0xae85910fff Private Memory rw True False False -
pagefile_0x000000ae85920000 0xae85920000 0xae85920fff Pagefile Backed Memory rw True False False -
private_0x000000ae85930000 0xae85930000 0xae85936fff Private Memory rw True False False -
pagefile_0x000000ae85940000 0xae85940000 0xae85940fff Pagefile Backed Memory rw True False False -
edgehtml.dll.mui 0xae85960000 0xae859bffff Memory Mapped File r False False False -
pagefile_0x000000ae859c0000 0xae859c0000 0xae859cffff Pagefile Backed Memory r True False False -
pagefile_0x000000ae859d0000 0xae859d0000 0xae859dffff Pagefile Backed Memory r True False False -
private_0x000000ae859e0000 0xae859e0000 0xae859fffff Private Memory rw True False False -
private_0x000000ae85a00000 0xae85a00000 0xae85afffff Private Memory rw True False False -
private_0x000000ae85b00000 0xae85b00000 0xae85bfffff Private Memory rw True False False -
private_0x000000ae85c00000 0xae85c00000 0xae85cfffff Private Memory rw True False False -
private_0x000000ae85d00000 0xae85d00000 0xae85dfffff Private Memory rw True False False -
private_0x000000ae85e00000 0xae85e00000 0xae85efffff Private Memory rw True False False -
private_0x000000ae85f00000 0xae85f00000 0xae85ffffff Private Memory rw True False False -
private_0x000000ae86000000 0xae86000000 0xae860fffff Private Memory rw True False False -
private_0x000000ae86100000 0xae86100000 0xae8611ffff Private Memory rw True False False -
private_0x000000ae86120000 0xae86120000 0xae8616ffff Private Memory rw True False False -
private_0x000000ae86170000 0xae86170000 0xae8626ffff Private Memory rw True False False -
private_0x000000ae86270000 0xae86270000 0xae8628ffff Private Memory rw True False False -
private_0x000000ae86290000 0xae86290000 0xae8638ffff Private Memory rw True False False -
private_0x000000ae86390000 0xae86390000 0xae863affff Private Memory rw True False False -
private_0x000000ae863b0000 0xae863b0000 0xae863cffff Private Memory rw True False False -
private_0x000000ae863d0000 0xae863d0000 0xae863effff Private Memory rw True False False -
cortana.internal.search.winmd 0xae863f0000 0xae86400fff Memory Mapped File rwx False False False -
cortana.search.winmd 0xae86410000 0xae86417fff Memory Mapped File rwx False False False -
private_0x000000ae86420000 0xae86420000 0xae8643ffff Private Memory rw True False False -
windows.foundation.winmd 0xae86440000 0xae8644efff Memory Mapped File rwx False False False -
windows.security.winmd 0xae86450000 0xae8646dfff Memory Mapped File rwx False False False -
private_0x000000ae86470000 0xae86470000 0xae8656ffff Private Memory rw True False False -
private_0x000000ae86570000 0xae86570000 0xae8658ffff Private Memory rw True False False -
windows.storage.winmd 0xae86590000 0xae865aafff Memory Mapped File rwx False False False -
private_0x000000ae865b0000 0xae865b0000 0xae865cffff Private Memory rw True False False -
chakra.dll.mui 0xae865d0000 0xae865d9fff Memory Mapped File r False False False -
private_0x000000ae865e0000 0xae865e0000 0xae865fffff Private Memory rw True False False -
private_0x000000ae86620000 0xae86620000 0xae8663ffff Private Memory rw True False False -
private_0x000000ae86680000 0xae86680000 0xae8669ffff Private Memory rw True False False -
private_0x000000ae866a0000 0xae866a0000 0xae866bffff Private Memory rw True False False -
private_0x000000ae866c0000 0xae866c0000 0xae867bffff Private Memory rw True False False -
private_0x000000ae867e0000 0xae867e0000 0xae867fffff Private Memory rw True False False -
private_0x000000ae86800000 0xae86800000 0xae8681ffff Private Memory rw True False False -
private_0x000000ae86820000 0xae86820000 0xae8683ffff Private Memory rw True False False -
private_0x000000ae86840000 0xae86840000 0xae8685ffff Private Memory rw True False False -
private_0x000000ae86860000 0xae86860000 0xae8687ffff Private Memory rw True False False -
private_0x000000ae86880000 0xae86880000 0xae8689ffff Private Memory rw True False False -
private_0x000000ae868c0000 0xae868c0000 0xae868dffff Private Memory rw True False False -
private_0x000000ae868e0000 0xae868e0000 0xae868fffff Private Memory rw True False False -
private_0x000000ae86900000 0xae86900000 0xae869fffff Private Memory rw True False False -
private_0x000000ae86a00000 0xae86a00000 0xae86afffff Private Memory rw True False False -
private_0x000000ae86b00000 0xae86b00000 0xae86bfffff Private Memory rw True False False -
private_0x000000ae86c40000 0xae86c40000 0xae86c5ffff Private Memory rw True False False -
private_0x000000ae86c60000 0xae86c60000 0xae86c7ffff Private Memory rwx True False False -
private_0x000000ae86c80000 0xae86c80000 0xae86c9ffff Private Memory rw True False False -
private_0x000000ae86ca0000 0xae86ca0000 0xae86cbffff Private Memory rw True False False -
private_0x000000ae86cc0000 0xae86cc0000 0xae86cdffff Private Memory rw True False False -
private_0x000000ae86ce0000 0xae86ce0000 0xae86cfffff Private Memory rw True False False -
private_0x000000ae86d20000 0xae86d20000 0xae86d3ffff Private Memory rw True False False -
private_0x000000ae86d40000 0xae86d40000 0xae86d5ffff Private Memory rw True False False -
private_0x000000ae86d60000 0xae86d60000 0xae86d7ffff Private Memory rw True False False -
private_0x000000ae86d80000 0xae86d80000 0xae86d9ffff Private Memory rw True False False -
private_0x000000ae86da0000 0xae86da0000 0xae86dbffff Private Memory rw True False False -
private_0x000000ae86dc0000 0xae86dc0000 0xae86ddffff Private Memory rw True False False -
private_0x000000ae86de0000 0xae86de0000 0xae86dfffff Private Memory rw True False False -
private_0x000000ae86e00000 0xae86e00000 0xae86e1ffff Private Memory rw True False False -
private_0x000000ae86e20000 0xae86e20000 0xae86e3ffff Private Memory rw True False False -
private_0x000000ae86e40000 0xae86e40000 0xae86f3ffff Private Memory rw True False False -
private_0x000000ae86f40000 0xae86f40000 0xae86f5ffff Private Memory rw True False False -
private_0x000000ae86f60000 0xae86f60000 0xae86f7ffff Private Memory rw True False False -
private_0x000000ae86f80000 0xae86f80000 0xae86f9ffff Private Memory rw True False False -
private_0x000000ae86fa0000 0xae86fa0000 0xae86fbffff Private Memory rw True False False -
private_0x000000ae86fc0000 0xae86fc0000 0xae86fdffff Private Memory rw True False False -
private_0x000000ae86fe0000 0xae86fe0000 0xae86ffffff Private Memory rwx True False False -
private_0x000000ae87000000 0xae87000000 0xae870fffff Private Memory rw True False False -
private_0x000000ae87100000 0xae87100000 0xae871fffff Private Memory rw True False False -
private_0x000000ae87200000 0xae87200000 0xae872fffff Private Memory rw True False False -
private_0x000000ae87300000 0xae87300000 0xae8731ffff Private Memory rw True False False -
private_0x000000ae873c0000 0xae873c0000 0xae874bffff Private Memory rw True False False -
private_0x000000ae874c0000 0xae874c0000 0xae874dffff Private Memory rw True False False -
private_0x000000ae874e0000 0xae874e0000 0xae874fffff Private Memory rw True False False -
private_0x000000ae87600000 0xae87600000 0xae8761ffff Private Memory rw True False False -
For performance reasons, the remaining 246 entries are omitted.
The remaining entries can be found in flog.txt.
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #2: c:\users\public\mksmd.exe 0x6b4 address = 0x7ff6d3e70000, size = 3760128 True 1
Fn
Data
Create Remote Thread #2: c:\users\public\mksmd.exe 0x6b4 address = 0x7ff6d3e72870 True 1
Fn
Host Behavior
File (2)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN False 1
Fn
Create C:\users\Public\sys desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN False 1
Fn
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x7ffc55800000 True 1
Fn
Load mpr.dll base_address = 0x7ffc53810000 True 1
Fn
Load advapi32.dll base_address = 0x7ffc57aa0000 True 1
Fn
Load ole32.dll base_address = 0x7ffc57750000 True 1
Fn
Load Shell32.dll base_address = 0x7ffc559d0000 True 1
Fn
Load Iphlpapi.dll base_address = 0x7ffc51c50000 True 1
Fn
Get Address Unknown module name function = LoadLibraryA, address_out = 0x7ffc55822080 True 1
Fn
Get Address Unknown module name function = GetLastError, address_out = 0x7ffc55816060 True 1
Fn
Get Address Unknown module name function = VirtualFree, address_out = 0x7ffc5581bc10 True 1
Fn
Get Address Unknown module name function = CryptExportKey, address_out = 0x7ffc57ab7b50 True 1
Fn
Get Address Unknown module name function = DeleteFileW, address_out = 0x7ffc558257a0 True 1
Fn
Get Address Unknown module name function = GetDriveTypeW, address_out = 0x7ffc558258f0 True 1
Fn
Get Address Unknown module name function = GetCommandLineW, address_out = 0x7ffc55820150 True 1
Fn
Get Address Unknown module name function = GetStartupInfoW, address_out = 0x7ffc5581ed80 True 1
Fn
Get Address Unknown module name function = FindNextFileW, address_out = 0x7ffc55825880 True 1
Fn
Get Address Unknown module name function = VirtualAlloc, address_out = 0x7ffc5581baf0 True 1
Fn
Get Address Unknown module name function = GetUserNameA, address_out = 0x7ffc57acec40 True 1
Fn
Get Address Unknown module name function = ExitProcess, address_out = 0x7ffc5581ef50 True 1
Fn
Get Address Unknown module name function = Wow64RevertWow64FsRedirection, address_out = 0x7ffc558436a0 True 1
Fn
Get Address Unknown module name function = CreateProcessA, address_out = 0x7ffc5581d5b0 True 1
Fn
Get Address Unknown module name function = GetIpNetTable, address_out = 0x7ffc51c6f0b0 True 1
Fn
Get Address Unknown module name function = GetVersionExW, address_out = 0x7ffc5581aa30 True 1
Fn
Get Address Unknown module name function = Wow64DisableWow64FsRedirection, address_out = 0x7ffc55843690 True 1
Fn
Get Address Unknown module name function = GetSystemDefaultLangID, address_out = 0x7ffc55822ba0 True 1
Fn
Get Address Unknown module name function = GetUserNameW, address_out = 0x7ffc57abda40 True 1
Fn
Get Address Unknown module name function = ReadFile, address_out = 0x7ffc55825a90 True 1
Fn
Get Address Unknown module name function = RegQueryValueExA, address_out = 0x7ffc57ab7dd0 True 1
Fn
Get Address Unknown module name function = CloseHandle, address_out = 0x7ffc55825510 True 1
Fn
Get Address Unknown module name function = RegSetValueExW, address_out = 0x7ffc57ab7850 True 1
Fn
Get Address Unknown module name function = RegCloseKey, address_out = 0x7ffc57ab72e0 True 1
Fn
Get Address Unknown module name function = CopyFileA, address_out = 0x7ffc5583e430 True 1
Fn
Get Address Unknown module name function = SetFileAttributesW, address_out = 0x7ffc55825b00 True 1
Fn
Get Address Unknown module name function = WinExec, address_out = 0x7ffc55841e60 True 1
Fn
Get Address Unknown module name function = CryptDeriveKey, address_out = 0x7ffc57ad07a0 True 1
Fn
Get Address Unknown module name function = CryptGenKey, address_out = 0x7ffc57abcab0 True 1
Fn
Get Address Unknown module name function = Sleep, address_out = 0x7ffc55818f00 True 1
Fn
Get Address Unknown module name function = GetCurrentProcess, address_out = 0x7ffc55816580 True 1
Fn
Get Address Unknown module name function = ShellExecuteW, address_out = 0x7ffc55b1abc0 True 1
Fn
Get Address Unknown module name function = GetFileSize, address_out = 0x7ffc55825950 True 1
Fn
Get Address Unknown module name function = GlobalAlloc, address_out = 0x7ffc5581b810 True 1
Fn
Get Address Unknown module name function = FindClose, address_out = 0x7ffc558257c0 True 1
Fn
Get Address Unknown module name function = WaitForMultipleObjects, address_out = 0x7ffc558256e0 True 1
Fn
Get Address Unknown module name function = GetModuleFileNameA, address_out = 0x7ffc55820c70 True 1
Fn
Get Address Unknown module name function = ShellExecuteA, address_out = 0x7ffc55bd7de0 True 1
Fn
Get Address Unknown module name function = GetModuleHandleA, address_out = 0x7ffc5581e6d0 True 1
Fn
Get Address Unknown module name function = GetModuleFileNameW, address_out = 0x7ffc5581eca0 True 1
Fn
Get Address Unknown module name function = CreateFileA, address_out = 0x7ffc55825760 True 1
Fn
Get Address Unknown module name function = GetFileSizeEx, address_out = 0x7ffc55825960 True 1
Fn
Get Address Unknown module name function = WriteFile, address_out = 0x7ffc55825b80 True 1
Fn
Get Address Unknown module name function = GetLogicalDrives, address_out = 0x7ffc558166d0 True 1
Fn
Get Address Unknown module name function = WNetEnumResourceW, address_out = 0x7ffc538127d0 True 1
Fn
Get Address Unknown module name function = RegOpenKeyExW, address_out = 0x7ffc57ab6cb0 True 1
Fn
Get Address Unknown module name function = WNetCloseEnum, address_out = 0x7ffc53812e20 True 1
Fn
Get Address Unknown module name function = GetWindowsDirectoryW, address_out = 0x7ffc55822940 True 1
Fn
Get Address Unknown module name function = SetFileAttributesA, address_out = 0x7ffc55825af0 True 1
Fn
Get Address Unknown module name function = RegOpenKeyExA, address_out = 0x7ffc57ab7d70 True 1
Fn
Get Address Unknown module name function = SetFilePointer, address_out = 0x7ffc55825b20 True 1
Fn
Get Address Unknown module name function = GetTickCount, address_out = 0x7ffc558160a0 True 1
Fn
Get Address Unknown module name function = GetFileAttributesW, address_out = 0x7ffc55825930 True 1
Fn
Get Address Unknown module name function = FindFirstFileW, address_out = 0x7ffc55825840 True 1
Fn
Get Address Unknown module name function = CryptAcquireContextW, address_out = 0x7ffc57ab89e0 True 1
Fn
Get Address Unknown module name function = MoveFileExW, address_out = 0x7ffc55823010 True 1
Fn
Get Address Unknown module name function = WNetOpenEnumW, address_out = 0x7ffc53812f20 True 1
Fn
Get Address Unknown module name function = CoInitialize, address_out = 0x7ffc57763870 True 1
Fn
Get Address Unknown module name function = CryptDecrypt, address_out = 0x7ffc57ab9140 True 1
Fn
Get Address Unknown module name function = CryptImportKey, address_out = 0x7ffc57ab7b40 True 1
Fn
Get Address Unknown module name function = SetFilePointerEx, address_out = 0x7ffc55825b30 True 1
Fn
Get Address Unknown module name function = CopyFileW, address_out = 0x7ffc55825d70 True 1
Fn
Get Address Unknown module name function = FreeLibrary, address_out = 0x7ffc5581eb90 True 1
Fn
Get Address Unknown module name function = CreateProcessW, address_out = 0x7ffc5581dee0 True 1
Fn
Get Address Unknown module name function = CreateDirectoryW, address_out = 0x7ffc55825740 True 1
Fn
Get Address Unknown module name function = CreateThread, address_out = 0x7ffc5581bc20 True 1
Fn
Get Address Unknown module name function = CryptDestroyKey, address_out = 0x7ffc57ab86b0 True 1
Fn
Get Address Unknown module name function = CoCreateInstance, address_out = 0x7ffc57257000 True 1
Fn
Get Address Unknown module name function = CreateFileW, address_out = 0x7ffc55825770 True 1
Fn
Get Address Unknown module name function = GetFileAttributesA, address_out = 0x7ffc55825900 True 1
Fn
Get Address Unknown module name function = CryptEncrypt, address_out = 0x7ffc57abd7e0 True 1
Fn
Get Address Unknown module name function = RegDeleteValueW, address_out = 0x7ffc57ab90b0 True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Process #14: net1.exe
67 0
»
Information Value
ID #14
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "audioendpointbuilder" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:09, Reason: Child Process
Unmonitor End Time: 00:02:16, Reason: Self Terminated
Monitor Duration 00:00:07
OS Process Information
»
Information Value
PID 0xd74
Parent PID 0xd48 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C50
0x C48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000001d22900000 0x1d22900000 0x1d2291ffff Private Memory rw True False False -
pagefile_0x0000001d22900000 0x1d22900000 0x1d2290ffff Pagefile Backed Memory rw True False False -
private_0x0000001d22910000 0x1d22910000 0x1d22916fff Private Memory rw True False False -
pagefile_0x0000001d22920000 0x1d22920000 0x1d22933fff Pagefile Backed Memory r True False False -
private_0x0000001d22940000 0x1d22940000 0x1d229bffff Private Memory rw True False False -
pagefile_0x0000001d229c0000 0x1d229c0000 0x1d229c3fff Pagefile Backed Memory r True False False -
pagefile_0x0000001d229d0000 0x1d229d0000 0x1d229d0fff Pagefile Backed Memory r True False False -
private_0x0000001d229e0000 0x1d229e0000 0x1d229e1fff Private Memory rw True False False -
private_0x0000001d229f0000 0x1d229f0000 0x1d22aeffff Private Memory rw True False False -
locale.nls 0x1d22af0000 0x1d22badfff Memory Mapped File r False False False -
private_0x0000001d22bb0000 0x1d22bb0000 0x1d22c2ffff Private Memory rw True False False -
private_0x0000001d22c30000 0x1d22c30000 0x1d22c36fff Private Memory rw True False False -
netmsg.dll 0x1d22c40000 0x1d22c42fff Memory Mapped File rwx False False False -
netmsg.dll.mui 0x1d22c50000 0x1d22c81fff Memory Mapped File r False False False -
private_0x0000001d22cf0000 0x1d22cf0000 0x1d22cfffff Private Memory rw True False False -
pagefile_0x00007df5ffe10000 0x7df5ffe10000 0x7ff5ffe0ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff719800000 0x7ff719800000 0x7ff7198fffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff719900000 0x7ff719900000 0x7ff719922fff Pagefile Backed Memory r True False False -
private_0x00007ff71992b000 0x7ff71992b000 0x7ff71992cfff Private Memory rw True False False -
private_0x00007ff71992d000 0x7ff71992d000 0x7ff71992efff Private Memory rw True False False -
private_0x00007ff71992f000 0x7ff71992f000 0x7ff71992ffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc466b0000 0x7ffc466c3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (32)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_OUTPUT_HANDLE type = file_type True 15
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_OUTPUT_HANDLE size = 169 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 2 True 7
Fn
Data
Write STD_OUTPUT_HANDLE size = 16 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 37 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 1 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 53 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 54 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 70 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x1d22c40000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (30)
»
Operation Additional Information Success Count Logfile
Control service_name = AUDIOENDPOINTBUILDER True 1
Fn
Control service_name = Audiosrv True 1
Fn
Control service_name = Audiosrv True 1
Fn
Control service_name = Audiosrv False 1
Fn
Control service_name = AUDIOENDPOINTBUILDER True 1
Fn
Control service_name = AUDIOENDPOINTBUILDER False 1
Fn
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 3
Fn
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 2
Fn
Get Info service_name = AUDIOENDPOINTBUILDER True 1
Fn
Get Info service_name = AUDIOENDPOINTBUILDER True 1
Fn
Get Info service_name = Audiosrv True 1
Fn
Get Info service_name = AUDIOENDPOINTBUILDER True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 2
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Sleep duration = 2500 milliseconds (2.500 seconds) True 2
Fn
Process #15: net1.exe
20 0
»
Information Value
ID #15
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:09, Reason: Child Process
Unmonitor End Time: 00:02:10, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc3c
Parent PID 0xd34 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C44
0x C58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000b5ddd60000 0xb5ddd60000 0xb5ddd7ffff Private Memory rw True False False -
pagefile_0x000000b5ddd60000 0xb5ddd60000 0xb5ddd6ffff Pagefile Backed Memory rw True False False -
private_0x000000b5ddd70000 0xb5ddd70000 0xb5ddd76fff Private Memory rw True False False -
pagefile_0x000000b5ddd80000 0xb5ddd80000 0xb5ddd93fff Pagefile Backed Memory r True False False -
private_0x000000b5ddda0000 0xb5ddda0000 0xb5dde1ffff Private Memory rw True False False -
pagefile_0x000000b5dde20000 0xb5dde20000 0xb5dde23fff Pagefile Backed Memory r True False False -
pagefile_0x000000b5dde30000 0xb5dde30000 0xb5dde30fff Pagefile Backed Memory r True False False -
private_0x000000b5dde40000 0xb5dde40000 0xb5dde41fff Private Memory rw True False False -
locale.nls 0xb5dde50000 0xb5ddf0dfff Memory Mapped File r False False False -
private_0x000000b5ddf10000 0xb5ddf10000 0xb5ddf16fff Private Memory rw True False False -
netmsg.dll 0xb5ddf20000 0xb5ddf22fff Memory Mapped File rwx False False False -
private_0x000000b5ddf50000 0xb5ddf50000 0xb5de04ffff Private Memory rw True False False -
private_0x000000b5de050000 0xb5de050000 0xb5de0cffff Private Memory rw True False False -
netmsg.dll.mui 0xb5de0d0000 0xb5de101fff Memory Mapped File r False False False -
private_0x000000b5de1e0000 0xb5de1e0000 0xb5de1effff Private Memory rw True False False -
pagefile_0x00007df5ff870000 0x7df5ff870000 0x7ff5ff86ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff719a30000 0x7ff719a30000 0x7ff719b2ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff719b30000 0x7ff719b30000 0x7ff719b52fff Pagefile Backed Memory r True False False -
private_0x00007ff719b56000 0x7ff719b56000 0x7ff719b56fff Private Memory rw True False False -
private_0x00007ff719b5c000 0x7ff719b5c000 0x7ff719b5dfff Private Memory rw True False False -
private_0x00007ff719b5e000 0x7ff719b5e000 0x7ff719b5ffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc466b0000 0x7ffc466c3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0xb5ddf20000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #16: net1.exe
33 0
»
Information Value
ID #16
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "spooler" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:09, Reason: Child Process
Unmonitor End Time: 00:02:14, Reason: Self Terminated
Monitor Duration 00:00:05
OS Process Information
»
Information Value
PID 0xd90
Parent PID 0xc94 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D44
0x D40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000dd53ba0000 0xdd53ba0000 0xdd53bbffff Private Memory rw True False False -
pagefile_0x000000dd53ba0000 0xdd53ba0000 0xdd53baffff Pagefile Backed Memory rw True False False -
private_0x000000dd53bb0000 0xdd53bb0000 0xdd53bb6fff Private Memory rw True False False -
pagefile_0x000000dd53bc0000 0xdd53bc0000 0xdd53bd3fff Pagefile Backed Memory r True False False -
private_0x000000dd53be0000 0xdd53be0000 0xdd53c5ffff Private Memory rw True False False -
pagefile_0x000000dd53c60000 0xdd53c60000 0xdd53c63fff Pagefile Backed Memory r True False False -
pagefile_0x000000dd53c70000 0xdd53c70000 0xdd53c70fff Pagefile Backed Memory r True False False -
private_0x000000dd53c80000 0xdd53c80000 0xdd53c81fff Private Memory rw True False False -
locale.nls 0xdd53c90000 0xdd53d4dfff Memory Mapped File r False False False -
private_0x000000dd53d50000 0xdd53d50000 0xdd53d56fff Private Memory rw True False False -
private_0x000000dd53d60000 0xdd53d60000 0xdd53e5ffff Private Memory rw True False False -
private_0x000000dd53e60000 0xdd53e60000 0xdd53edffff Private Memory rw True False False -
netmsg.dll 0xdd53ee0000 0xdd53ee2fff Memory Mapped File rwx False False False -
netmsg.dll.mui 0xdd53ef0000 0xdd53f21fff Memory Mapped File r False False False -
private_0x000000dd540d0000 0xdd540d0000 0xdd540dffff Private Memory rw True False False -
pagefile_0x00007df5ff230000 0x7df5ff230000 0x7ff5ff22ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff719e40000 0x7ff719e40000 0x7ff719f3ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff719f40000 0x7ff719f40000 0x7ff719f62fff Pagefile Backed Memory r True False False -
private_0x00007ff719f64000 0x7ff719f64000 0x7ff719f64fff Private Memory rw True False False -
private_0x00007ff719f6c000 0x7ff719f6c000 0x7ff719f6dfff Private Memory rw True False False -
private_0x00007ff719f6e000 0x7ff719f6e000 0x7ff719f6ffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc466b0000 0x7ffc466c3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (12)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_OUTPUT_HANDLE type = file_type True 5
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_OUTPUT_HANDLE size = 37 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 1 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 2 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 53 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0xdd53ee0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (17)
»
Operation Additional Information Success Count Logfile
Control service_name = SPOOLER True 1
Fn
Control service_name = SPOOLER True 1
Fn
Control service_name = SPOOLER False 1
Fn
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 2
Fn
Get Info service_name = SPOOLER True 1
Fn
Get Info service_name = SPOOLER True 1
Fn
Get Info service_name = SPOOLER True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (1)
»
Operation Additional Information Success Count Logfile
Sleep duration = 2500 milliseconds (2.500 seconds) True 1
Fn
Process #17: werfault.exe
0 0
»
Information Value
ID #17
File Name c:\windows\system32\werfault.exe
Command Line C:\Windows\system32\WerFault.exe -u -p 1796 -s 1640
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:10, Reason: Child Process
Unmonitor End Time: 00:02:30, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x75c
Parent PID 0x704 (c:\windows\system32\sihost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 4D0
0x AE8
0x 900
0x 8A8
0x 518
0x B80
0x A68
0x 820
0x 384
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000bc36bd0000 0xbc36bd0000 0xbc36beffff Private Memory rw True False False -
pagefile_0x000000bc36bd0000 0xbc36bd0000 0xbc36bdffff Pagefile Backed Memory rw True False False -
private_0x000000bc36be0000 0xbc36be0000 0xbc36be6fff Private Memory rw True False False -
pagefile_0x000000bc36bf0000 0xbc36bf0000 0xbc36c03fff Pagefile Backed Memory r True False False -
private_0x000000bc36c10000 0xbc36c10000 0xbc36c8ffff Private Memory rw True False False -
pagefile_0x000000bc36c90000 0xbc36c90000 0xbc36c93fff Pagefile Backed Memory r True False False -
pagefile_0x000000bc36ca0000 0xbc36ca0000 0xbc36ca2fff Pagefile Backed Memory r True False False -
private_0x000000bc36cb0000 0xbc36cb0000 0xbc36cb1fff Private Memory rw True False False -
locale.nls 0xbc36cc0000 0xbc36d7dfff Memory Mapped File r False False False -
private_0x000000bc36d80000 0xbc36d80000 0xbc36dfffff Private Memory rw True False False -
private_0x000000bc36e00000 0xbc36e00000 0xbc36e0ffff Private Memory rw True False False -
private_0x000000bc36e10000 0xbc36e10000 0xbc36e16fff Private Memory rw True False False -
werfault.exe.mui 0xbc36e20000 0xbc36e23fff Memory Mapped File r False False False -
private_0x000000bc36e30000 0xbc36e30000 0xbc36e30fff Private Memory rw True False False -
private_0x000000bc36e40000 0xbc36e40000 0xbc36e40fff Private Memory rw True False False -
pagefile_0x000000bc36e50000 0xbc36e50000 0xbc36e50fff Pagefile Backed Memory rw True False False -
private_0x000000bc36e60000 0xbc36e60000 0xbc36e60fff Private Memory rw True False False -
faultrep.dll.mui 0xbc36e70000 0xbc36e71fff Memory Mapped File r False False False -
private_0x000000bc36e80000 0xbc36e80000 0xbc36e80fff Private Memory rw True False False -
private_0x000000bc36e90000 0xbc36e90000 0xbc36f8ffff Private Memory rw True False False -
pagefile_0x000000bc36f90000 0xbc36f90000 0xbc37117fff Pagefile Backed Memory r True False False -
wer.dll.mui 0xbc37120000 0xbc37122fff Memory Mapped File r False False False -
private_0x000000bc37130000 0xbc37130000 0xbc37136fff Private Memory rw True False False -
pagefile_0x000000bc37140000 0xbc37140000 0xbc37141fff Pagefile Backed Memory r True False False -
private_0x000000bc37150000 0xbc37150000 0xbc3715ffff Private Memory rw True False False -
pagefile_0x000000bc37160000 0xbc37160000 0xbc372e0fff Pagefile Backed Memory r True False False -
pagefile_0x000000bc372f0000 0xbc372f0000 0xbc386effff Pagefile Backed Memory r True False False -
ntdll.dll.mui 0xbc386f0000 0xbc38755fff Memory Mapped File r False False False -
pagefile_0x000000bc38760000 0xbc38760000 0xbc38761fff Pagefile Backed Memory r True False False -
pagefile_0x000000bc38770000 0xbc38770000 0xbc38770fff Pagefile Backed Memory r True False False -
werui.dll.mui 0xbc38770000 0xbc38774fff Memory Mapped File r False False False -
pagefile_0x000000bc38780000 0xbc38780000 0xbc38781fff Pagefile Backed Memory r True False False -
pagefile_0x000000bc38790000 0xbc38790000 0xbc38790fff Pagefile Backed Memory r True False False -
pagefile_0x000000bc387a0000 0xbc387a0000 0xbc387a1fff Pagefile Backed Memory r True False False -
pagefile_0x000000bc387b0000 0xbc387b0000 0xbc387b3fff Pagefile Backed Memory r True False False -
private_0x000000bc387c0000 0xbc387c0000 0xbc387c6fff Private Memory rw True False False -
duser.dll.mui 0xbc387d0000 0xbc387d0fff Memory Mapped File r False False False -
private_0x000000bc38800000 0xbc38800000 0xbc3880ffff Private Memory rw True False False -
sortdefault.nls 0xbc38810000 0xbc38b46fff Memory Mapped File r False False False -
private_0x000000bc38b50000 0xbc38b50000 0xbc38c4ffff Private Memory rw True False False -
private_0x000000bc38c50000 0xbc38c50000 0xbc38d4ffff Private Memory rw True False False -
private_0x000000bc38d50000 0xbc38d50000 0xbc38e4ffff Private Memory rw True False False -
private_0x000000bc38e50000 0xbc38e50000 0xbc3904ffff Private Memory rw True False False -
kernelbase.dll.mui 0xbc39050000 0xbc3912efff Memory Mapped File r False False False -
private_0x000000bc39130000 0xbc39130000 0xbc3922ffff Private Memory rw True False False -
private_0x000000bc39230000 0xbc39230000 0xbc392affff Private Memory rw True False False -
private_0x000000bc392b0000 0xbc392b0000 0xbc3932ffff Private Memory rw True False False -
private_0x000000bc39330000 0xbc39330000 0xbc393affff Private Memory rw True False False -
private_0x000000bc393b0000 0xbc393b0000 0xbc3942ffff Private Memory rw True False False -
private_0x000000bc39430000 0xbc39430000 0xbc394affff Private Memory rw True False False -
private_0x000000bc394b0000 0xbc394b0000 0xbc3952ffff Private Memory rw True False False -
pagefile_0x000000bc39530000 0xbc39530000 0xbc395e7fff Pagefile Backed Memory r True False False -
pagefile_0x00007df5ff3e0000 0x7df5ff3e0000 0x7ff5ff3dffff Pagefile Backed Memory - True False False -
private_0x00007ff65d00c000 0x7ff65d00c000 0x7ff65d00dfff Private Memory rw True False False -
private_0x00007ff65d00e000 0x7ff65d00e000 0x7ff65d00ffff Private Memory rw True False False -
pagefile_0x00007ff65d010000 0x7ff65d010000 0x7ff65d10ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff65d110000 0x7ff65d110000 0x7ff65d132fff Pagefile Backed Memory r True False False -
private_0x00007ff65d133000 0x7ff65d133000 0x7ff65d133fff Private Memory rw True False False -
private_0x00007ff65d134000 0x7ff65d134000 0x7ff65d135fff Private Memory rw True False False -
private_0x00007ff65d136000 0x7ff65d136000 0x7ff65d137fff Private Memory rw True False False -
private_0x00007ff65d138000 0x7ff65d138000 0x7ff65d139fff Private Memory rw True False False -
private_0x00007ff65d13a000 0x7ff65d13a000 0x7ff65d13bfff Private Memory rw True False False -
private_0x00007ff65d13c000 0x7ff65d13c000 0x7ff65d13dfff Private Memory rw True False False -
private_0x00007ff65d13e000 0x7ff65d13e000 0x7ff65d13ffff Private Memory rw True False False -
werfault.exe 0x7ff65dca0000 0x7ff65dceafff Memory Mapped File rwx False False False -
dbgeng.dll 0x7ffc3e380000 0x7ffc3e85bfff Memory Mapped File rwx False False False -
wer.dll 0x7ffc3ec10000 0x7ffc3ecadfff Memory Mapped File rwx False False False -
dbghelp.dll 0x7ffc3f1e0000 0x7ffc3f369fff Memory Mapped File rwx False False False -
riched20.dll 0x7ffc3fb40000 0x7ffc3fbdafff Memory Mapped File rwx False False False -
dui70.dll 0x7ffc3ff20000 0x7ffc400cffff Memory Mapped File rwx False False False -
atlthunk.dll 0x7ffc41be0000 0x7ffc41beffff Memory Mapped File rwx False False False -
npmproxy.dll 0x7ffc4b090000 0x7ffc4b09dfff Memory Mapped File rwx False False False -
secur32.dll 0x7ffc4b6e0000 0x7ffc4b6ebfff Memory Mapped File rwx False False False -
version.dll 0x7ffc4b890000 0x7ffc4b899fff Memory Mapped File rwx False False False -
netprofm.dll 0x7ffc4c220000 0x7ffc4c25efff Memory Mapped File rwx False False False -
comctl32.dll 0x7ffc4cbd0000 0x7ffc4ce43fff Memory Mapped File rwx False False False -
dbgmodel.dll 0x7ffc4d040000 0x7ffc4d0d0fff Memory Mapped File rwx False False False -
werui.dll 0x7ffc4d060000 0x7ffc4d0d3fff Memory Mapped File rwx False False False -
msls31.dll 0x7ffc4d220000 0x7ffc4d257fff Memory Mapped File rwx False False False -
faultrep.dll 0x7ffc4d480000 0x7ffc4d4ddfff Memory Mapped File rwx False False False -
duser.dll 0x7ffc4f3a0000 0x7ffc4f438fff Memory Mapped File rwx False False False -
xmllite.dll 0x7ffc4fb00000 0x7ffc4fb35fff Memory Mapped File rwx False False False -
dbgcore.dll 0x7ffc50db0000 0x7ffc50dd4fff Memory Mapped File rwx False False False -
usp10.dll 0x7ffc513c0000 0x7ffc513d7fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7ffc525f0000 0x7ffc52611fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7ffc52d70000 0x7ffc52e05fff Memory Mapped File rwx False False False -
devobj.dll 0x7ffc52ef0000 0x7ffc52f16fff Memory Mapped File rwx False False False -
ntmarta.dll 0x7ffc53920000 0x7ffc53951fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7ffc53a90000 0x7ffc53ac2fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7ffc54210000 0x7ffc54226fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7ffc54280000 0x7ffc5428afff Memory Mapped File rwx False False False -
sspicli.dll 0x7ffc54320000 0x7ffc5434bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7ffc543d0000 0x7ffc5443afff Memory Mapped File rwx False False False -
profapi.dll 0x7ffc54580000 0x7ffc54592fff Memory Mapped File rwx False False False -
powrprof.dll 0x7ffc545a0000 0x7ffc545e9fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7ffc54610000 0x7ffc5461efff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7ffc54620000 0x7ffc54663fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7ffc54670000 0x7ffc54c97fff Memory Mapped File rwx False False False -
shcore.dll 0x7ffc54f80000 0x7ffc55032fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
imm32.dll 0x7ffc55280000 0x7ffc552b5fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
msctf.dll 0x7ffc55380000 0x7ffc554dbfff Memory Mapped File rwx False False False -
user32.dll 0x7ffc554e0000 0x7ffc5562dfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7ffc55910000 0x7ffc559cdfff Memory Mapped File rwx False False False -
shell32.dll 0x7ffc559d0000 0x7ffc56ef4fff Memory Mapped File rwx False False False -
nsi.dll 0x7ffc56f00000 0x7ffc56f07fff Memory Mapped File rwx False False False -
gdi32.dll 0x7ffc56f10000 0x7ffc57094fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
combase.dll 0x7ffc571d0000 0x7ffc5744bfff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ole32.dll 0x7ffc57750000 0x7ffc57890fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7ffc578a0000 0x7ffc578f0fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7ffc57970000 0x7ffc57a14fff Memory Mapped File rwx False False False -
advapi32.dll 0x7ffc57aa0000 0x7ffc57b45fff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #18: werfault.exe
0 0
»
Information Value
ID #18
File Name c:\windows\system32\werfault.exe
Command Line C:\Windows\system32\WerFault.exe -u -p 2432 -s 3164
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:11, Reason: Child Process
Unmonitor End Time: 00:02:31, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1f4
Parent PID 0x980 (c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 340
0x 434
0x 858
0x 954
0x 784
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000000100000000 0x100000000 0x10001ffff Private Memory rw True False False -
pagefile_0x0000000100000000 0x100000000 0x10000ffff Pagefile Backed Memory rw True False False -
private_0x0000000100010000 0x100010000 0x100016fff Private Memory rw True False False -
pagefile_0x0000000100020000 0x100020000 0x100033fff Pagefile Backed Memory r True False False -
private_0x0000000100040000 0x100040000 0x1000bffff Private Memory rw True False False -
pagefile_0x00000001000c0000 0x1000c0000 0x1000c3fff Pagefile Backed Memory r True False False -
pagefile_0x00000001000d0000 0x1000d0000 0x1000d2fff Pagefile Backed Memory r True False False -
private_0x00000001000e0000 0x1000e0000 0x1000e1fff Private Memory rw True False False -
locale.nls 0x1000f0000 0x1001adfff Memory Mapped File r False False False -
private_0x00000001001b0000 0x1001b0000 0x10022ffff Private Memory rw True False False -
private_0x0000000100230000 0x100230000 0x100236fff Private Memory rw True False False -
werfault.exe.mui 0x100240000 0x100243fff Memory Mapped File r False False False -
private_0x0000000100250000 0x100250000 0x100250fff Private Memory rw True False False -
private_0x0000000100260000 0x100260000 0x100260fff Private Memory rw True False False -
pagefile_0x0000000100270000 0x100270000 0x100270fff Pagefile Backed Memory rw True False False -
private_0x0000000100280000 0x100280000 0x10028ffff Private Memory rw True False False -
pagefile_0x0000000100290000 0x100290000 0x100290fff Pagefile Backed Memory r True False False -
pagefile_0x00000001002a0000 0x1002a0000 0x1002a0fff Pagefile Backed Memory r True False False -
private_0x00000001002b0000 0x1002b0000 0x1003affff Private Memory rw True False False -
private_0x0000000100450000 0x100450000 0x10045ffff Private Memory rw True False False -
pagefile_0x0000000100460000 0x100460000 0x1005e7fff Pagefile Backed Memory r True False False -
pagefile_0x00000001005f0000 0x1005f0000 0x100770fff Pagefile Backed Memory r True False False -
pagefile_0x0000000100780000 0x100780000 0x101b7ffff Pagefile Backed Memory r True False False -
private_0x0000000101c80000 0x101c80000 0x101c8ffff Private Memory rw True False False -
pagefile_0x00007df5ff200000 0x7df5ff200000 0x7ff5ff1fffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff65d770000 0x7ff65d770000 0x7ff65d86ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff65d870000 0x7ff65d870000 0x7ff65d892fff Pagefile Backed Memory r True False False -
private_0x00007ff65d89a000 0x7ff65d89a000 0x7ff65d89bfff Private Memory rw True False False -
private_0x00007ff65d89c000 0x7ff65d89c000 0x7ff65d89cfff Private Memory rw True False False -
private_0x00007ff65d89e000 0x7ff65d89e000 0x7ff65d89ffff Private Memory rw True False False -
werfault.exe 0x7ff65dca0000 0x7ff65dceafff Memory Mapped File rwx False False False -
wer.dll 0x7ffc3ec10000 0x7ffc3ecadfff Memory Mapped File rwx False False False -
dbghelp.dll 0x7ffc3f1e0000 0x7ffc3f369fff Memory Mapped File rwx False False False -
faultrep.dll 0x7ffc4d480000 0x7ffc4d4ddfff Memory Mapped File rwx False False False -
dbgcore.dll 0x7ffc50db0000 0x7ffc50dd4fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7ffc52d70000 0x7ffc52e05fff Memory Mapped File rwx False False False -
devobj.dll 0x7ffc52ef0000 0x7ffc52f16fff Memory Mapped File rwx False False False -
twinapi.appcore.dll 0x7ffc52f40000 0x7ffc5302dfff Memory Mapped File rwx False False False -
userenv.dll 0x7ffc53b80000 0x7ffc53b9efff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7ffc543d0000 0x7ffc5443afff Memory Mapped File rwx False False False -
profapi.dll 0x7ffc54580000 0x7ffc54592fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7ffc54610000 0x7ffc5461efff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7ffc54620000 0x7ffc54663fff Memory Mapped File rwx False False False -
shcore.dll 0x7ffc54f80000 0x7ffc55032fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
imm32.dll 0x7ffc55280000 0x7ffc552b5fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
msctf.dll 0x7ffc55380000 0x7ffc554dbfff Memory Mapped File rwx False False False -
user32.dll 0x7ffc554e0000 0x7ffc5562dfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
gdi32.dll 0x7ffc56f10000 0x7ffc57094fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
combase.dll 0x7ffc571d0000 0x7ffc5744bfff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
clbcatq.dll 0x7ffc57970000 0x7ffc57a14fff Memory Mapped File rwx False False False -
advapi32.dll 0x7ffc57aa0000 0x7ffc57b45fff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #19: sihost.exe
0 0
»
Information Value
ID #19
File Name c:\windows\system32\sihost.exe
Command Line sihost.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:13, Reason: Child Process
Unmonitor End Time: 00:02:30, Reason: Self Terminated
Monitor Duration 00:00:17
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x5bc
Parent PID 0x704 (c:\windows\system32\sihost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs -
Process #20: werfault.exe
0 0
»
Information Value
ID #20
File Name c:\windows\system32\werfault.exe
Command Line C:\Windows\system32\WerFault.exe -u -p 2432 -s 3224
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:14, Reason: Child Process
Unmonitor End Time: 00:02:59, Reason: Self Terminated
Monitor Duration 00:00:45
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdc4
Parent PID 0x980 (c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DD4
0x B18
0x 368
0x B68
0x E0C
0x DB8
0x E80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000097bf0b0000 0x97bf0b0000 0x97bf0cffff Private Memory rw True False False -
pagefile_0x00000097bf0b0000 0x97bf0b0000 0x97bf0bffff Pagefile Backed Memory rw True False False -
private_0x00000097bf0c0000 0x97bf0c0000 0x97bf0c6fff Private Memory rw True False False -
pagefile_0x00000097bf0d0000 0x97bf0d0000 0x97bf0e3fff Pagefile Backed Memory r True False False -
private_0x00000097bf0f0000 0x97bf0f0000 0x97bf16ffff Private Memory rw True False False -
pagefile_0x00000097bf170000 0x97bf170000 0x97bf173fff Pagefile Backed Memory r True False False -
pagefile_0x00000097bf180000 0x97bf180000 0x97bf182fff Pagefile Backed Memory r True False False -
private_0x00000097bf190000 0x97bf190000 0x97bf191fff Private Memory rw True False False -
locale.nls 0x97bf1a0000 0x97bf25dfff Memory Mapped File r False False False -
private_0x00000097bf260000 0x97bf260000 0x97bf2dffff Private Memory rw True False False -
private_0x00000097bf2e0000 0x97bf2e0000 0x97bf2e6fff Private Memory rw True False False -
werfault.exe.mui 0x97bf2f0000 0x97bf2f3fff Memory Mapped File r False False False -
private_0x00000097bf300000 0x97bf300000 0x97bf300fff Private Memory rw True False False -
private_0x00000097bf310000 0x97bf310000 0x97bf310fff Private Memory rw True False False -
private_0x00000097bf320000 0x97bf320000 0x97bf32ffff Private Memory rw True False False -
pagefile_0x00000097bf330000 0x97bf330000 0x97bf330fff Pagefile Backed Memory rw True False False -
pagefile_0x00000097bf340000 0x97bf340000 0x97bf340fff Pagefile Backed Memory r True False False -
pagefile_0x00000097bf350000 0x97bf350000 0x97bf350fff Pagefile Backed Memory r True False False -
faultrep.dll.mui 0x97bf360000 0x97bf361fff Memory Mapped File r False False False -
wer.dll.mui 0x97bf370000 0x97bf372fff Memory Mapped File r False False False -
private_0x00000097bf380000 0x97bf380000 0x97bf47ffff Private Memory rw True False False -
private_0x00000097bf480000 0x97bf480000 0x97bf4fffff Private Memory rw True False False -
private_0x00000097bf500000 0x97bf500000 0x97bf506fff Private Memory rw True False False -
pagefile_0x00000097bf510000 0x97bf510000 0x97bf511fff Pagefile Backed Memory r True False False -
pagefile_0x00000097bf520000 0x97bf520000 0x97bf521fff Pagefile Backed Memory r True False False -
pagefile_0x00000097bf530000 0x97bf530000 0x97bf530fff Pagefile Backed Memory rw True False False -
pagefile_0x00000097bf540000 0x97bf540000 0x97bf541fff Pagefile Backed Memory r True False False -
private_0x00000097bf550000 0x97bf550000 0x97bf55ffff Private Memory rw True False False -
pagefile_0x00000097bf560000 0x97bf560000 0x97bf589fff Pagefile Backed Memory rw True False False -
winnlsres.dll 0x97bf590000 0x97bf594fff Memory Mapped File r False False False -
winnlsres.dll.mui 0x97bf5a0000 0x97bf5affff Memory Mapped File r False False False -
mswsock.dll.mui 0x97bf5b0000 0x97bf5b2fff Memory Mapped File r False False False -
private_0x00000097bf5c0000 0x97bf5c0000 0x97bf5cffff Private Memory rw True False False -
pagefile_0x00000097bf5d0000 0x97bf5d0000 0x97bf757fff Pagefile Backed Memory r True False False -
pagefile_0x00000097bf760000 0x97bf760000 0x97bf8e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000097bf8f0000 0x97bf8f0000 0x97c0ceffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x97c0cf0000 0x97c1026fff Memory Mapped File r False False False -
private_0x00000097c1030000 0x97c1030000 0x97c10affff Private Memory rw True False False -
private_0x00000097c10b0000 0x97c10b0000 0x97c112ffff Private Memory rw True False False -
ntdll.dll.mui 0x97c1130000 0x97c1195fff Memory Mapped File r False False False -
private_0x00000097c11a0000 0x97c11a0000 0x97c121ffff Private Memory rw True False False -
private_0x00000097c1220000 0x97c1220000 0x97c131ffff Private Memory rw True False False -
private_0x00000097c1320000 0x97c1320000 0x97c141ffff Private Memory rw True False False -
private_0x00000097c1420000 0x97c1420000 0x97c151ffff Private Memory rw True False False -
private_0x00000097c1520000 0x97c1520000 0x97c171ffff Private Memory rw True False False -
kernelbase.dll.mui 0x97c1720000 0x97c17fefff Memory Mapped File r False False False -
private_0x00000097c1800000 0x97c1800000 0x97c18fffff Private Memory rw True False False -
pagefile_0x00007df5ffc80000 0x7df5ffc80000 0x7ff5ffc7ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff65cc50000 0x7ff65cc50000 0x7ff65cd4ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff65cd50000 0x7ff65cd50000 0x7ff65cd72fff Pagefile Backed Memory r True False False -
private_0x00007ff65cd73000 0x7ff65cd73000 0x7ff65cd74fff Private Memory rw True False False -
private_0x00007ff65cd75000 0x7ff65cd75000 0x7ff65cd76fff Private Memory rw True False False -
private_0x00007ff65cd77000 0x7ff65cd77000 0x7ff65cd77fff Private Memory rw True False False -
private_0x00007ff65cd78000 0x7ff65cd78000 0x7ff65cd79fff Private Memory rw True False False -
private_0x00007ff65cd7a000 0x7ff65cd7a000 0x7ff65cd7bfff Private Memory rw True False False -
private_0x00007ff65cd7c000 0x7ff65cd7c000 0x7ff65cd7dfff Private Memory rw True False False -
private_0x00007ff65cd7e000 0x7ff65cd7e000 0x7ff65cd7ffff Private Memory rw True False False -
werfault.exe 0x7ff65dca0000 0x7ff65dceafff Memory Mapped File rwx False False False -
dbgeng.dll 0x7ffc3e380000 0x7ffc3e85bfff Memory Mapped File rwx False False False -
wer.dll 0x7ffc3ec10000 0x7ffc3ecadfff Memory Mapped File rwx False False False -
dbghelp.dll 0x7ffc3f1e0000 0x7ffc3f369fff Memory Mapped File rwx False False False -
dui70.dll 0x7ffc3ff20000 0x7ffc400cffff Memory Mapped File rwx False False False -
windows.security.authentication.onlineid.dll 0x7ffc44de0000 0x7ffc44e92fff Memory Mapped File rwx False False False -
actxprxy.dll 0x7ffc48ff0000 0x7ffc49459fff Memory Mapped File rwx False False False -
webio.dll 0x7ffc4a100000 0x7ffc4a17ffff Memory Mapped File rwx False False False -
npmproxy.dll 0x7ffc4b090000 0x7ffc4b09dfff Memory Mapped File rwx False False False -
secur32.dll 0x7ffc4b6e0000 0x7ffc4b6ebfff Memory Mapped File rwx False False False -
version.dll 0x7ffc4b890000 0x7ffc4b899fff Memory Mapped File rwx False False False -
ondemandconnroutehelper.dll 0x7ffc4b8c0000 0x7ffc4b8d4fff Memory Mapped File rwx False False False -
netprofm.dll 0x7ffc4c220000 0x7ffc4c25efff Memory Mapped File rwx False False False -
rasadhlp.dll 0x7ffc4c270000 0x7ffc4c279fff Memory Mapped File rwx False False False -
comctl32.dll 0x7ffc4cbd0000 0x7ffc4ce43fff Memory Mapped File rwx False False False -
dbgmodel.dll 0x7ffc4d040000 0x7ffc4d0d0fff Memory Mapped File rwx False False False -
werui.dll 0x7ffc4d060000 0x7ffc4d0d3fff Memory Mapped File rwx False False False -
faultrep.dll 0x7ffc4d480000 0x7ffc4d4ddfff Memory Mapped File rwx False False False -
winhttp.dll 0x7ffc4d9d0000 0x7ffc4daa5fff Memory Mapped File rwx False False False -
xmllite.dll 0x7ffc4fb00000 0x7ffc4fb35fff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x7ffc50980000 0x7ffc509e7fff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7ffc50a50000 0x7ffc50a69fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7ffc50a70000 0x7ffc50a85fff Memory Mapped File rwx False False False -
dbgcore.dll 0x7ffc50db0000 0x7ffc50dd4fff Memory Mapped File rwx False False False -
winnsi.dll 0x7ffc51c30000 0x7ffc51c3afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7ffc51c50000 0x7ffc51c87fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7ffc52d70000 0x7ffc52e05fff Memory Mapped File rwx False False False -
devobj.dll 0x7ffc52ef0000 0x7ffc52f16fff Memory Mapped File rwx False False False -
twinapi.appcore.dll 0x7ffc52f40000 0x7ffc5302dfff Memory Mapped File rwx False False False -
ntmarta.dll 0x7ffc53920000 0x7ffc53951fff Memory Mapped File rwx False False False -
schannel.dll 0x7ffc53980000 0x7ffc539f3fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7ffc53a90000 0x7ffc53ac2fff Memory Mapped File rwx False False False -
userenv.dll 0x7ffc53b80000 0x7ffc53b9efff Memory Mapped File rwx False False False -
dnsapi.dll 0x7ffc53be0000 0x7ffc53c87fff Memory Mapped File rwx False False False -
mswsock.dll 0x7ffc53dd0000 0x7ffc53e2cfff Memory Mapped File rwx False False False -
dpapi.dll 0x7ffc541f0000 0x7ffc541f9fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7ffc54210000 0x7ffc54226fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7ffc54280000 0x7ffc5428afff Memory Mapped File rwx False False False -
sspicli.dll 0x7ffc54320000 0x7ffc5434bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7ffc543d0000 0x7ffc5443afff Memory Mapped File rwx False False False -
profapi.dll 0x7ffc54580000 0x7ffc54592fff Memory Mapped File rwx False False False -
powrprof.dll 0x7ffc545a0000 0x7ffc545e9fff Memory Mapped File rwx False False False -
msasn1.dll 0x7ffc545f0000 0x7ffc54600fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7ffc54610000 0x7ffc5461efff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7ffc54620000 0x7ffc54663fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7ffc54670000 0x7ffc54c97fff Memory Mapped File rwx False False False -
crypt32.dll 0x7ffc54db0000 0x7ffc54f70fff Memory Mapped File rwx False False False -
shcore.dll 0x7ffc54f80000 0x7ffc55032fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
imm32.dll 0x7ffc55280000 0x7ffc552b5fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
msctf.dll 0x7ffc55380000 0x7ffc554dbfff Memory Mapped File rwx False False False -
user32.dll 0x7ffc554e0000 0x7ffc5562dfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7ffc55910000 0x7ffc559cdfff Memory Mapped File rwx False False False -
shell32.dll 0x7ffc559d0000 0x7ffc56ef4fff Memory Mapped File rwx False False False -
nsi.dll 0x7ffc56f00000 0x7ffc56f07fff Memory Mapped File rwx False False False -
gdi32.dll 0x7ffc56f10000 0x7ffc57094fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
combase.dll 0x7ffc571d0000 0x7ffc5744bfff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ole32.dll 0x7ffc57750000 0x7ffc57890fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7ffc578a0000 0x7ffc578f0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7ffc57900000 0x7ffc57968fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7ffc57970000 0x7ffc57a14fff Memory Mapped File rwx False False False -
advapi32.dll 0x7ffc57aa0000 0x7ffc57b45fff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #21: net.exe
0 0
»
Information Value
ID #21
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:14, Reason: Child Process
Unmonitor End Time: 00:02:15, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xde8
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DF8
0x E08
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000090521a0000 0x90521a0000 0x90521bffff Private Memory rw True False False -
pagefile_0x00000090521a0000 0x90521a0000 0x90521affff Pagefile Backed Memory rw True False False -
pagefile_0x00000090521c0000 0x90521c0000 0x90521d3fff Pagefile Backed Memory r True False False -
private_0x00000090521e0000 0x90521e0000 0x905225ffff Private Memory rw True False False -
pagefile_0x0000009052260000 0x9052260000 0x9052263fff Pagefile Backed Memory r True False False -
pagefile_0x0000009052270000 0x9052270000 0x9052270fff Pagefile Backed Memory r True False False -
private_0x0000009052280000 0x9052280000 0x9052281fff Private Memory rw True False False -
private_0x00000090522a0000 0x90522a0000 0x905239ffff Private Memory rw True False False -
locale.nls 0x90523a0000 0x905245dfff Memory Mapped File r False False False -
pagefile_0x00007df5ff360000 0x7df5ff360000 0x7ff5ff35ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff706080000 0x7ff706080000 0x7ff70617ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff706180000 0x7ff706180000 0x7ff7061a2fff Pagefile Backed Memory r True False False -
private_0x00007ff7061a5000 0x7ff7061a5000 0x7ff7061a5fff Private Memory rw True False False -
private_0x00007ff7061ae000 0x7ff7061ae000 0x7ff7061affff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #23: net1.exe
20 0
»
Information Value
ID #23
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:15, Reason: Child Process
Unmonitor End Time: 00:02:15, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xde0
Parent PID 0xde8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DEC
0x DE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000006931360000 0x6931360000 0x693137ffff Private Memory rw True False False -
pagefile_0x0000006931360000 0x6931360000 0x693136ffff Pagefile Backed Memory rw True False False -
private_0x0000006931370000 0x6931370000 0x6931376fff Private Memory rw True False False -
pagefile_0x0000006931380000 0x6931380000 0x6931393fff Pagefile Backed Memory r True False False -
private_0x00000069313a0000 0x69313a0000 0x693141ffff Private Memory rw True False False -
pagefile_0x0000006931420000 0x6931420000 0x6931423fff Pagefile Backed Memory r True False False -
pagefile_0x0000006931430000 0x6931430000 0x6931430fff Pagefile Backed Memory r True False False -
private_0x0000006931440000 0x6931440000 0x6931441fff Private Memory rw True False False -
locale.nls 0x6931450000 0x693150dfff Memory Mapped File r False False False -
private_0x0000006931510000 0x6931510000 0x6931516fff Private Memory rw True False False -
netmsg.dll 0x6931520000 0x6931522fff Memory Mapped File rwx False False False -
private_0x0000006931540000 0x6931540000 0x693163ffff Private Memory rw True False False -
private_0x0000006931640000 0x6931640000 0x69316bffff Private Memory rw True False False -
netmsg.dll.mui 0x69316c0000 0x69316f1fff Memory Mapped File r False False False -
private_0x00000069317e0000 0x69317e0000 0x69317effff Private Memory rw True False False -
pagefile_0x00007df5ffea0000 0x7df5ffea0000 0x7ff5ffe9ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff71a180000 0x7ff71a180000 0x7ff71a27ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff71a280000 0x7ff71a280000 0x7ff71a2a2fff Pagefile Backed Memory r True False False -
private_0x00007ff71a2aa000 0x7ff71a2aa000 0x7ff71a2abfff Private Memory rw True False False -
private_0x00007ff71a2ac000 0x7ff71a2ac000 0x7ff71a2acfff Private Memory rw True False False -
private_0x00007ff71a2ae000 0x7ff71a2ae000 0x7ff71a2affff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc466b0000 0x7ffc466c3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x6931520000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #24: net.exe
0 0
»
Information Value
ID #24
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:26, Reason: Child Process
Unmonitor End Time: 00:02:27, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x63c
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EB0
0x E9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000007b445c0000 0x7b445c0000 0x7b445dffff Private Memory rw True False False -
pagefile_0x0000007b445c0000 0x7b445c0000 0x7b445cffff Pagefile Backed Memory rw True False False -
pagefile_0x0000007b445e0000 0x7b445e0000 0x7b445f3fff Pagefile Backed Memory r True False False -
private_0x0000007b44600000 0x7b44600000 0x7b4467ffff Private Memory rw True False False -
pagefile_0x0000007b44680000 0x7b44680000 0x7b44683fff Pagefile Backed Memory r True False False -
pagefile_0x0000007b44690000 0x7b44690000 0x7b44690fff Pagefile Backed Memory r True False False -
private_0x0000007b446a0000 0x7b446a0000 0x7b446a1fff Private Memory rw True False False -
private_0x0000007b44700000 0x7b44700000 0x7b447fffff Private Memory rw True False False -
locale.nls 0x7b44800000 0x7b448bdfff Memory Mapped File r False False False -
pagefile_0x00007df5ffaf0000 0x7df5ffaf0000 0x7ff5ffaeffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff706510000 0x7ff706510000 0x7ff70660ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff706610000 0x7ff706610000 0x7ff706632fff Pagefile Backed Memory r True False False -
private_0x00007ff706637000 0x7ff706637000 0x7ff706637fff Private Memory rw True False False -
private_0x00007ff70663e000 0x7ff70663e000 0x7ff70663ffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #26: svchost.exe
91 0
»
Information Value
ID #26
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:26, Reason: Injection
Unmonitor End Time: 00:05:22, Reason: Crashed
Monitor Duration 00:02:56
OS Process Information
»
Information Value
PID 0xf88
Parent PID 0x1e4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 2EC
0x 388
0x F9C
0x F98
0x F8C
0x DCC
0x E98
0x C3C
0x C5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
pagefile_0x0000005431280000 0x5431280000 0x543128ffff Pagefile Backed Memory rw True False False -
svchost.exe.mui 0x5431290000 0x5431290fff Memory Mapped File r False False False -
pagefile_0x00000054312a0000 0x54312a0000 0x54312b3fff Pagefile Backed Memory r True False False -
private_0x00000054312c0000 0x54312c0000 0x543133ffff Private Memory rw True False False -
pagefile_0x0000005431340000 0x5431340000 0x5431343fff Pagefile Backed Memory r True False False -
pagefile_0x0000005431350000 0x5431350000 0x5431350fff Pagefile Backed Memory r True False False -
private_0x0000005431360000 0x5431360000 0x5431361fff Private Memory rw True False False -
locale.nls 0x5431370000 0x543142dfff Memory Mapped File r False False False -
private_0x0000005431430000 0x5431430000 0x5431430fff Private Memory rw True False False -
private_0x0000005431440000 0x5431440000 0x5431440fff Private Memory rw True False False -
phoneutilres.dll 0x5431450000 0x5431450fff Memory Mapped File r False False False -
private_0x0000005431460000 0x5431460000 0x5431466fff Private Memory rw True False False -
private_0x0000005431470000 0x5431470000 0x54314effff Private Memory rw True False False -
private_0x00000054314f0000 0x54314f0000 0x54314f0fff Private Memory rw True False False -
private_0x0000005431500000 0x5431500000 0x54315fffff Private Memory rw True False False -
pagefile_0x0000005431600000 0x5431600000 0x5431787fff Pagefile Backed Memory r True False False -
pagefile_0x0000005431790000 0x5431790000 0x5431790fff Pagefile Backed Memory r True False False -
private_0x00000054317a0000 0x54317a0000 0x54317a6fff Private Memory rw True False False -
pagefile_0x00000054317b0000 0x54317b0000 0x54317b0fff Pagefile Backed Memory r True False False -
syncres.dll 0x54317c0000 0x54317c0fff Memory Mapped File r False False False -
private_0x0000005431800000 0x5431800000 0x54318fffff Private Memory rw True False False -
pagefile_0x0000005431900000 0x5431900000 0x5431a80fff Pagefile Backed Memory r True False False -
pagefile_0x0000005431a90000 0x5431a90000 0x5432e8ffff Pagefile Backed Memory r True False False -
private_0x0000005432e90000 0x5432e90000 0x5432f8ffff Private Memory rw True False False -
private_0x0000005432f90000 0x5432f90000 0x543308ffff Private Memory rw True False False -
private_0x0000005433090000 0x5433090000 0x543310ffff Private Memory rw True False False -
private_0x0000005433110000 0x5433110000 0x543320ffff Private Memory rw True False False -
private_0x0000005433210000 0x5433210000 0x543330ffff Private Memory rw True False False -
private_0x0000005433310000 0x5433310000 0x543340ffff Private Memory rw True False False -
sortdefault.nls 0x5433410000 0x5433746fff Memory Mapped File r False False False -
private_0x0000005433750000 0x5433750000 0x543384ffff Private Memory rw True False False -
pagefile_0x00007df5ff620000 0x7df5ff620000 0x7ff5ff61ffff Pagefile Backed Memory - True False False -
private_0x00007ff6d3e70000 0x7ff6d3e70000 0x7ff6d4205fff Private Memory rwx True False False -
private_0x00007ff6e01bc000 0x7ff6e01bc000 0x7ff6e01bdfff Private Memory rw True False False -
private_0x00007ff6e01be000 0x7ff6e01be000 0x7ff6e01bffff Private Memory rw True False False -
pagefile_0x00007ff6e01c0000 0x7ff6e01c0000 0x7ff6e02bffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6e02c0000 0x7ff6e02c0000 0x7ff6e02e2fff Pagefile Backed Memory r True False False -
private_0x00007ff6e02e3000 0x7ff6e02e3000 0x7ff6e02e3fff Private Memory rw True False False -
private_0x00007ff6e02e4000 0x7ff6e02e4000 0x7ff6e02e5fff Private Memory rw True False False -
private_0x00007ff6e02e6000 0x7ff6e02e6000 0x7ff6e02e7fff Private Memory rw True False False -
private_0x00007ff6e02e8000 0x7ff6e02e8000 0x7ff6e02e9fff Private Memory rw True False False -
private_0x00007ff6e02ea000 0x7ff6e02ea000 0x7ff6e02ebfff Private Memory rw True False False -
private_0x00007ff6e02ec000 0x7ff6e02ec000 0x7ff6e02edfff Private Memory rw True False False -
private_0x00007ff6e02ee000 0x7ff6e02ee000 0x7ff6e02effff Private Memory rw True False False -
svchost.exe 0x7ff6e1100000 0x7ff6e110cfff Memory Mapped File rwx False False False -
phoneutil.dll 0x7ffc3f3a0000 0x7ffc3f3e0fff Memory Mapped File rwx False False False -
pimstore.dll 0x7ffc3f3f0000 0x7ffc3f560fff Memory Mapped File rwx False False False -
syncutil.dll 0x7ffc3f570000 0x7ffc3f5b6fff Memory Mapped File rwx False False False -
userdataplatformhelperutil.dll 0x7ffc3f610000 0x7ffc3f625fff Memory Mapped File rwx False False False -
aphostservice.dll 0x7ffc3f630000 0x7ffc3f67dfff Memory Mapped File rwx False False False -
vaultcli.dll 0x7ffc46900000 0x7ffc46947fff Memory Mapped File rwx False False False -
tokenbroker.dll 0x7ffc486a0000 0x7ffc48765fff Memory Mapped File rwx False False False -
dsclient.dll 0x7ffc48ed0000 0x7ffc48edbfff Memory Mapped File rwx False False False -
userdatatypehelperutil.dll 0x7ffc48ee0000 0x7ffc48ef0fff Memory Mapped File rwx False False False -
actxprxy.dll 0x7ffc48ff0000 0x7ffc49459fff Memory Mapped File rwx False False False -
inproclogger.dll 0x7ffc4b0a0000 0x7ffc4b0acfff Memory Mapped File rwx False False False -
esent.dll 0x7ffc4bc70000 0x7ffc4bf51fff Memory Mapped File rwx False False False -
mccspal.dll 0x7ffc4cad0000 0x7ffc4cadafff Memory Mapped File rwx False False False -
idstore.dll 0x7ffc4cf00000 0x7ffc4cf26fff Memory Mapped File rwx False False False -
userdatatimeutil.dll 0x7ffc4d0e0000 0x7ffc4d100fff Memory Mapped File rwx False False False -
accountaccessor.dll 0x7ffc4d110000 0x7ffc4d145fff Memory Mapped File rwx False False False -
cemapi.dll 0x7ffc4d150000 0x7ffc4d18ffff Memory Mapped File rwx False False False -
winhttp.dll 0x7ffc4d9d0000 0x7ffc4daa5fff Memory Mapped File rwx False False False -
iertutil.dll 0x7ffc4ddd0000 0x7ffc4e145fff Memory Mapped File rwx False False False -
samlib.dll 0x7ffc50bd0000 0x7ffc50bebfff Memory Mapped File rwx False False False -
wintypes.dll 0x7ffc50c00000 0x7ffc50d30fff Memory Mapped File rwx False False False -
userdatalanguageutil.dll 0x7ffc50d90000 0x7ffc50da0fff Memory Mapped File rwx False False False -
synccontroller.dll 0x7ffc50e50000 0x7ffc50ebbfff Memory Mapped File rwx False False False -
aphostclient.dll 0x7ffc513e0000 0x7ffc513effff Memory Mapped File rwx False False False -
networkhelper.dll 0x7ffc51a30000 0x7ffc51a46fff Memory Mapped File rwx False False False -
winnsi.dll 0x7ffc51c30000 0x7ffc51c3afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7ffc51c50000 0x7ffc51c87fff Memory Mapped File rwx False False False -
nlaapi.dll 0x7ffc51cb0000 0x7ffc51cc7fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7ffc52640000 0x7ffc52652fff Memory Mapped File rwx False False False -
mpr.dll 0x7ffc53810000 0x7ffc5382bfff Memory Mapped File rwx False False False -
ntmarta.dll 0x7ffc53920000 0x7ffc53951fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7ffc53a90000 0x7ffc53ac2fff Memory Mapped File rwx False False False -
userenv.dll 0x7ffc53b80000 0x7ffc53b9efff Memory Mapped File rwx False False False -
msv1_0.dll 0x7ffc53d70000 0x7ffc53dcefff Memory Mapped File rwx False False False -
ntlmshared.dll 0x7ffc54200000 0x7ffc5420afff Memory Mapped File rwx False False False -
cryptsp.dll 0x7ffc54210000 0x7ffc54226fff Memory Mapped File rwx False False False -
cryptdll.dll 0x7ffc54260000 0x7ffc54273fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7ffc54280000 0x7ffc5428afff Memory Mapped File rwx False False False -
sspicli.dll 0x7ffc54320000 0x7ffc5434bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7ffc543d0000 0x7ffc5443afff Memory Mapped File rwx False False False -
profapi.dll 0x7ffc54580000 0x7ffc54592fff Memory Mapped File rwx False False False -
powrprof.dll 0x7ffc545a0000 0x7ffc545e9fff Memory Mapped File rwx False False False -
msasn1.dll 0x7ffc545f0000 0x7ffc54600fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7ffc54610000 0x7ffc5461efff Memory Mapped File rwx False False False -
windows.storage.dll 0x7ffc54670000 0x7ffc54c97fff Memory Mapped File rwx False False False -
crypt32.dll 0x7ffc54db0000 0x7ffc54f70fff Memory Mapped File rwx False False False -
shcore.dll 0x7ffc54f80000 0x7ffc55032fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
imm32.dll 0x7ffc55280000 0x7ffc552b5fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
msctf.dll 0x7ffc55380000 0x7ffc554dbfff Memory Mapped File rwx False False False -
user32.dll 0x7ffc554e0000 0x7ffc5562dfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7ffc55910000 0x7ffc559cdfff Memory Mapped File rwx False False False -
shell32.dll 0x7ffc559d0000 0x7ffc56ef4fff Memory Mapped File rwx False False False -
nsi.dll 0x7ffc56f00000 0x7ffc56f07fff Memory Mapped File rwx False False False -
gdi32.dll 0x7ffc56f10000 0x7ffc57094fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
combase.dll 0x7ffc571d0000 0x7ffc5744bfff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ole32.dll 0x7ffc57750000 0x7ffc57890fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7ffc578a0000 0x7ffc578f0fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7ffc57970000 0x7ffc57a14fff Memory Mapped File rwx False False False -
advapi32.dll 0x7ffc57aa0000 0x7ffc57b45fff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #2: c:\users\public\mksmd.exe 0x6b4 address = 0x7ff6d3e70000, size = 3760128 True 1
Fn
Data
Create Remote Thread #2: c:\users\public\mksmd.exe 0x6b4 address = 0x7ff6d3e72870 True 1
Fn
Host Behavior
File (3)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN False 2
Fn
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x7ffc55800000 True 1
Fn
Load mpr.dll base_address = 0x7ffc53810000 True 1
Fn
Load advapi32.dll base_address = 0x7ffc57aa0000 True 1
Fn
Load ole32.dll base_address = 0x7ffc57750000 True 1
Fn
Load Shell32.dll base_address = 0x7ffc559d0000 True 1
Fn
Load Iphlpapi.dll base_address = 0x7ffc51c50000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x7ffc55822080 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x7ffc55816060 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualFree, address_out = 0x7ffc5581bc10 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptExportKey, address_out = 0x7ffc57ab7b50 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileW, address_out = 0x7ffc558257a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDriveTypeW, address_out = 0x7ffc558258f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineW, address_out = 0x7ffc55820150 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x7ffc5581ed80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileW, address_out = 0x7ffc55825880 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x7ffc5581baf0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7ffc57acec40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x7ffc5581ef50 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64RevertWow64FsRedirection, address_out = 0x7ffc558436a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessA, address_out = 0x7ffc5581d5b0 True 1
Fn
Get Address c:\windows\system32\iphlpapi.dll function = GetIpNetTable, address_out = 0x7ffc51c6f0b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExW, address_out = 0x7ffc5581aa30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64DisableWow64FsRedirection, address_out = 0x7ffc55843690 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemDefaultLangID, address_out = 0x7ffc55822ba0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameW, address_out = 0x7ffc57abda40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x7ffc55825a90 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7ffc57ab7dd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x7ffc55825510 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegSetValueExW, address_out = 0x7ffc57ab7850 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7ffc57ab72e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileA, address_out = 0x7ffc5583e430 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesW, address_out = 0x7ffc55825b00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WinExec, address_out = 0x7ffc55841e60 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDeriveKey, address_out = 0x7ffc57ad07a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGenKey, address_out = 0x7ffc57abcab0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Sleep, address_out = 0x7ffc55818f00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x7ffc55816580 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteW, address_out = 0x7ffc55b1abc0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x7ffc55825950 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x7ffc5581b810 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x7ffc558257c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForMultipleObjects, address_out = 0x7ffc558256e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x7ffc55820c70 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x7ffc55bd7de0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x7ffc5581e6d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameW, address_out = 0x7ffc5581eca0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x7ffc55825760 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSizeEx, address_out = 0x7ffc55825960 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x7ffc55825b80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalDrives, address_out = 0x7ffc558166d0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetEnumResourceW, address_out = 0x7ffc538127d0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExW, address_out = 0x7ffc57ab6cb0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetCloseEnum, address_out = 0x7ffc53812e20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x7ffc55822940 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesA, address_out = 0x7ffc55825af0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7ffc57ab7d70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x7ffc55825b20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount, address_out = 0x7ffc558160a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesW, address_out = 0x7ffc55825930 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileW, address_out = 0x7ffc55825840 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextW, address_out = 0x7ffc57ab89e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MoveFileExW, address_out = 0x7ffc55823010 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetOpenEnumW, address_out = 0x7ffc53812f20 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7ffc57763870 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDecrypt, address_out = 0x7ffc57ab9140 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptImportKey, address_out = 0x7ffc57ab7b40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x7ffc55825b30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileW, address_out = 0x7ffc55825d70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x7ffc5581eb90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessW, address_out = 0x7ffc5581dee0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateDirectoryW, address_out = 0x7ffc55825740 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThread, address_out = 0x7ffc5581bc20 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyKey, address_out = 0x7ffc57ab86b0 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7ffc57257000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x7ffc55825770 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x7ffc55825900 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptEncrypt, address_out = 0x7ffc57abd7e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteValueW, address_out = 0x7ffc57ab90b0 True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
System (7)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
Sleep duration = 25000 milliseconds (25.000 seconds) True 2
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 3
Fn
Process #27: net1.exe
20 0
»
Information Value
ID #27
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:26, Reason: Child Process
Unmonitor End Time: 00:02:27, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xea4
Parent PID 0x63c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EA8
0x EB8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000000e0cb50000 0xe0cb50000 0xe0cb6ffff Private Memory rw True False False -
pagefile_0x0000000e0cb50000 0xe0cb50000 0xe0cb5ffff Pagefile Backed Memory rw True False False -
private_0x0000000e0cb60000 0xe0cb60000 0xe0cb66fff Private Memory rw True False False -
pagefile_0x0000000e0cb70000 0xe0cb70000 0xe0cb83fff Pagefile Backed Memory r True False False -
private_0x0000000e0cb90000 0xe0cb90000 0xe0cc0ffff Private Memory rw True False False -
pagefile_0x0000000e0cc10000 0xe0cc10000 0xe0cc13fff Pagefile Backed Memory r True False False -
pagefile_0x0000000e0cc20000 0xe0cc20000 0xe0cc20fff Pagefile Backed Memory r True False False -
private_0x0000000e0cc30000 0xe0cc30000 0xe0cc31fff Private Memory rw True False False -
locale.nls 0xe0cc40000 0xe0ccfdfff Memory Mapped File r False False False -
private_0x0000000e0cd00000 0xe0cd00000 0xe0cd7ffff Private Memory rw True False False -
private_0x0000000e0cd80000 0xe0cd80000 0xe0cd86fff Private Memory rw True False False -
private_0x0000000e0cd90000 0xe0cd90000 0xe0cd9ffff Private Memory rw True False False -
netmsg.dll 0xe0cda0000 0xe0cda2fff Memory Mapped File rwx False False False -
netmsg.dll.mui 0xe0cdb0000 0xe0cde1fff Memory Mapped File r False False False -
private_0x0000000e0cdf0000 0xe0cdf0000 0xe0ceeffff Private Memory rw True False False -
pagefile_0x00007df5ff4c0000 0x7df5ff4c0000 0x7ff5ff4bffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff719400000 0x7ff719400000 0x7ff7194fffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff719500000 0x7ff719500000 0x7ff719522fff Pagefile Backed Memory r True False False -
private_0x00007ff71952a000 0x7ff71952a000 0x7ff71952bfff Private Memory rw True False False -
private_0x00007ff71952c000 0x7ff71952c000 0x7ff71952dfff Private Memory rw True False False -
private_0x00007ff71952e000 0x7ff71952e000 0x7ff71952efff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc4d200000 0x7ffc4d213fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0xe0cda0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #28: werfault.exe
0 0
»
Information Value
ID #28
File Name c:\windows\system32\werfault.exe
Command Line C:\Windows\system32\WerFault.exe -u -p 1916 -s 1160
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:32, Reason: Child Process
Unmonitor End Time: 00:02:34, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdb4
Parent PID 0x77c (c:\windows\system32\taskhostw.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 248
0x 764
0x EE0
0x EE8
0x 790
0x EFC
0x F00
0x F04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000ee07fc0000 0xee07fc0000 0xee07fdffff Private Memory rw True False False -
pagefile_0x000000ee07fc0000 0xee07fc0000 0xee07fcffff Pagefile Backed Memory rw True False False -
private_0x000000ee07fd0000 0xee07fd0000 0xee07fd6fff Private Memory rw True False False -
pagefile_0x000000ee07fe0000 0xee07fe0000 0xee07ff3fff Pagefile Backed Memory r True False False -
private_0x000000ee08000000 0xee08000000 0xee0807ffff Private Memory rw True False False -
pagefile_0x000000ee08080000 0xee08080000 0xee08083fff Pagefile Backed Memory r True False False -
pagefile_0x000000ee08090000 0xee08090000 0xee08092fff Pagefile Backed Memory r True False False -
private_0x000000ee080a0000 0xee080a0000 0xee080a1fff Private Memory rw True False False -
private_0x000000ee080b0000 0xee080b0000 0xee080b6fff Private Memory rw True False False -
private_0x000000ee080c0000 0xee080c0000 0xee081bffff Private Memory rw True False False -
locale.nls 0xee081c0000 0xee0827dfff Memory Mapped File r False False False -
private_0x000000ee08280000 0xee08280000 0xee082fffff Private Memory rw True False False -
werfault.exe.mui 0xee08300000 0xee08303fff Memory Mapped File r False False False -
private_0x000000ee08310000 0xee08310000 0xee08310fff Private Memory rw True False False -
private_0x000000ee08320000 0xee08320000 0xee08320fff Private Memory rw True False False -
pagefile_0x000000ee08330000 0xee08330000 0xee08330fff Pagefile Backed Memory rw True False False -
faultrep.dll.mui 0xee08340000 0xee08341fff Memory Mapped File r False False False -
wer.dll.mui 0xee08350000 0xee08352fff Memory Mapped File r False False False -
private_0x000000ee08360000 0xee08360000 0xee08366fff Private Memory rw True False False -
pagefile_0x000000ee08370000 0xee08370000 0xee08371fff Pagefile Backed Memory r True False False -
pagefile_0x000000ee08380000 0xee08380000 0xee08381fff Pagefile Backed Memory r True False False -
werui.dll.mui 0xee08390000 0xee08394fff Memory Mapped File r False False False -
private_0x000000ee083a0000 0xee083a0000 0xee083affff Private Memory rw True False False -
ntdll.dll.mui 0xee083b0000 0xee08415fff Memory Mapped File r False False False -
pagefile_0x000000ee08420000 0xee08420000 0xee08421fff Pagefile Backed Memory r True False False -
pagefile_0x000000ee08430000 0xee08430000 0xee08430fff Pagefile Backed Memory r True False False -
pagefile_0x000000ee08440000 0xee08440000 0xee08441fff Pagefile Backed Memory r True False False -
private_0x000000ee08460000 0xee08460000 0xee0846ffff Private Memory rw True False False -
private_0x000000ee084d0000 0xee084d0000 0xee084dffff Private Memory rw True False False -
pagefile_0x000000ee084e0000 0xee084e0000 0xee08667fff Pagefile Backed Memory r True False False -
pagefile_0x000000ee08670000 0xee08670000 0xee087f0fff Pagefile Backed Memory r True False False -
pagefile_0x000000ee08800000 0xee08800000 0xee09bfffff Pagefile Backed Memory r True False False -
sortdefault.nls 0xee09c00000 0xee09f36fff Memory Mapped File r False False False -
private_0x000000ee09f40000 0xee09f40000 0xee09fbffff Private Memory rw True False False -
private_0x000000ee09fc0000 0xee09fc0000 0xee0a0bffff Private Memory rw True False False -
private_0x000000ee0a0c0000 0xee0a0c0000 0xee0a1bffff Private Memory rw True False False -
private_0x000000ee0a1c0000 0xee0a1c0000 0xee0a2bffff Private Memory rw True False False -
kernelbase.dll.mui 0xee0a2c0000 0xee0a39efff Memory Mapped File r False False False -
private_0x000000ee0a3a0000 0xee0a3a0000 0xee0a49ffff Private Memory rw True False False -
private_0x000000ee0a4a0000 0xee0a4a0000 0xee0a51ffff Private Memory rw True False False -
private_0x000000ee0a520000 0xee0a520000 0xee0a59ffff Private Memory rw True False False -
private_0x000000ee0a5a0000 0xee0a5a0000 0xee0a61ffff Private Memory rw True False False -
private_0x000000ee0a620000 0xee0a620000 0xee0a69ffff Private Memory rw True False False -
pagefile_0x00007df5ff110000 0x7df5ff110000 0x7ff5ff10ffff Pagefile Backed Memory - True False False -
private_0x00007ff65cdac000 0x7ff65cdac000 0x7ff65cdadfff Private Memory rw True False False -
private_0x00007ff65cdae000 0x7ff65cdae000 0x7ff65cdaffff Private Memory rw True False False -
pagefile_0x00007ff65cdb0000 0x7ff65cdb0000 0x7ff65ceaffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff65ceb0000 0x7ff65ceb0000 0x7ff65ced2fff Pagefile Backed Memory r True False False -
private_0x00007ff65ced4000 0x7ff65ced4000 0x7ff65ced5fff Private Memory rw True False False -
private_0x00007ff65ced6000 0x7ff65ced6000 0x7ff65ced7fff Private Memory rw True False False -
private_0x00007ff65ced8000 0x7ff65ced8000 0x7ff65ced9fff Private Memory rw True False False -
private_0x00007ff65ceda000 0x7ff65ceda000 0x7ff65cedafff Private Memory rw True False False -
private_0x00007ff65cedc000 0x7ff65cedc000 0x7ff65ceddfff Private Memory rw True False False -
private_0x00007ff65cede000 0x7ff65cede000 0x7ff65cedffff Private Memory rw True False False -
werfault.exe 0x7ff65dca0000 0x7ff65dceafff Memory Mapped File rwx False False False -
dbgeng.dll 0x7ffc3e170000 0x7ffc3e64bfff Memory Mapped File rwx False False False -
wer.dll 0x7ffc3ec10000 0x7ffc3ecadfff Memory Mapped File rwx False False False -
dbghelp.dll 0x7ffc3f1e0000 0x7ffc3f369fff Memory Mapped File rwx False False False -
dui70.dll 0x7ffc3ff20000 0x7ffc400cffff Memory Mapped File rwx False False False -
dbgmodel.dll 0x7ffc48e30000 0x7ffc48ec0fff Memory Mapped File rwx False False False -
riched20.dll 0x7ffc48e30000 0x7ffc48ecafff Memory Mapped File rwx False False False -
secur32.dll 0x7ffc4b6e0000 0x7ffc4b6ebfff Memory Mapped File rwx False False False -
version.dll 0x7ffc4b890000 0x7ffc4b899fff Memory Mapped File rwx False False False -
comctl32.dll 0x7ffc4cbd0000 0x7ffc4ce43fff Memory Mapped File rwx False False False -
werui.dll 0x7ffc4d060000 0x7ffc4d0d3fff Memory Mapped File rwx False False False -
msls31.dll 0x7ffc4d220000 0x7ffc4d257fff Memory Mapped File rwx False False False -
faultrep.dll 0x7ffc4d480000 0x7ffc4d4ddfff Memory Mapped File rwx False False False -
duser.dll 0x7ffc4f3a0000 0x7ffc4f438fff Memory Mapped File rwx False False False -
xmllite.dll 0x7ffc4fb00000 0x7ffc4fb35fff Memory Mapped File rwx False False False -
dbgcore.dll 0x7ffc50db0000 0x7ffc50dd4fff Memory Mapped File rwx False False False -
usp10.dll 0x7ffc513c0000 0x7ffc513d7fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7ffc52d70000 0x7ffc52e05fff Memory Mapped File rwx False False False -
devobj.dll 0x7ffc52ef0000 0x7ffc52f16fff Memory Mapped File rwx False False False -
ntmarta.dll 0x7ffc53920000 0x7ffc53951fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7ffc53a90000 0x7ffc53ac2fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7ffc54210000 0x7ffc54226fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7ffc54280000 0x7ffc5428afff Memory Mapped File rwx False False False -
sspicli.dll 0x7ffc54320000 0x7ffc5434bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7ffc543d0000 0x7ffc5443afff Memory Mapped File rwx False False False -
profapi.dll 0x7ffc54580000 0x7ffc54592fff Memory Mapped File rwx False False False -
powrprof.dll 0x7ffc545a0000 0x7ffc545e9fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7ffc54610000 0x7ffc5461efff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7ffc54620000 0x7ffc54663fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7ffc54670000 0x7ffc54c97fff Memory Mapped File rwx False False False -
shcore.dll 0x7ffc54f80000 0x7ffc55032fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
imm32.dll 0x7ffc55280000 0x7ffc552b5fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
msctf.dll 0x7ffc55380000 0x7ffc554dbfff Memory Mapped File rwx False False False -
user32.dll 0x7ffc554e0000 0x7ffc5562dfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7ffc55910000 0x7ffc559cdfff Memory Mapped File rwx False False False -
shell32.dll 0x7ffc559d0000 0x7ffc56ef4fff Memory Mapped File rwx False False False -
gdi32.dll 0x7ffc56f10000 0x7ffc57094fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
combase.dll 0x7ffc571d0000 0x7ffc5744bfff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ole32.dll 0x7ffc57750000 0x7ffc57890fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7ffc578a0000 0x7ffc578f0fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7ffc57970000 0x7ffc57a14fff Memory Mapped File rwx False False False -
advapi32.dll 0x7ffc57aa0000 0x7ffc57b45fff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #29: net.exe
0 0
»
Information Value
ID #29
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:34, Reason: Child Process
Unmonitor End Time: 00:02:36, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe20
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E24
0x 3C0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000005015f60000 0x5015f60000 0x5015f7ffff Private Memory rw True False False -
pagefile_0x0000005015f60000 0x5015f60000 0x5015f6ffff Pagefile Backed Memory rw True False False -
private_0x0000005015f70000 0x5015f70000 0x5015f76fff Private Memory rw True False False -
pagefile_0x0000005015f80000 0x5015f80000 0x5015f93fff Pagefile Backed Memory r True False False -
private_0x0000005015fa0000 0x5015fa0000 0x501601ffff Private Memory rw True False False -
pagefile_0x0000005016020000 0x5016020000 0x5016023fff Pagefile Backed Memory r True False False -
pagefile_0x0000005016030000 0x5016030000 0x5016030fff Pagefile Backed Memory r True False False -
private_0x0000005016040000 0x5016040000 0x5016041fff Private Memory rw True False False -
locale.nls 0x5016050000 0x501610dfff Memory Mapped File r False False False -
private_0x0000005016110000 0x5016110000 0x5016116fff Private Memory rw True False False -
private_0x0000005016130000 0x5016130000 0x501622ffff Private Memory rw True False False -
private_0x0000005016230000 0x5016230000 0x50162affff Private Memory rw True False False -
private_0x00000050163c0000 0x50163c0000 0x50163cffff Private Memory rw True False False -
pagefile_0x00007df5ff1b0000 0x7df5ff1b0000 0x7ff5ff1affff Pagefile Backed Memory - True False False -
pagefile_0x00007ff706120000 0x7ff706120000 0x7ff70621ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff706220000 0x7ff706220000 0x7ff706242fff Pagefile Backed Memory r True False False -
private_0x00007ff706248000 0x7ff706248000 0x7ff706248fff Private Memory rw True False False -
private_0x00007ff70624c000 0x7ff70624c000 0x7ff70624dfff Private Memory rw True False False -
private_0x00007ff70624e000 0x7ff70624e000 0x7ff70624ffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
browcli.dll 0x7ffc513c0000 0x7ffc513d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
winnsi.dll 0x7ffc51c30000 0x7ffc51c3afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7ffc51c50000 0x7ffc51c87fff Memory Mapped File rwx False False False -
mpr.dll 0x7ffc53810000 0x7ffc5382bfff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
nsi.dll 0x7ffc56f00000 0x7ffc56f07fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #31: net1.exe
20 0
»
Information Value
ID #31
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:35, Reason: Child Process
Unmonitor End Time: 00:02:36, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf34
Parent PID 0xe20 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F94
0x FF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000001410660000 0x1410660000 0x141067ffff Private Memory rw True False False -
pagefile_0x0000001410660000 0x1410660000 0x141066ffff Pagefile Backed Memory rw True False False -
private_0x0000001410670000 0x1410670000 0x1410676fff Private Memory rw True False False -
pagefile_0x0000001410680000 0x1410680000 0x1410693fff Pagefile Backed Memory r True False False -
private_0x00000014106a0000 0x14106a0000 0x141071ffff Private Memory rw True False False -
pagefile_0x0000001410720000 0x1410720000 0x1410723fff Pagefile Backed Memory r True False False -
pagefile_0x0000001410730000 0x1410730000 0x1410730fff Pagefile Backed Memory r True False False -
private_0x0000001410740000 0x1410740000 0x1410741fff Private Memory rw True False False -
locale.nls 0x1410750000 0x141080dfff Memory Mapped File r False False False -
private_0x0000001410810000 0x1410810000 0x1410816fff Private Memory rw True False False -
netmsg.dll 0x1410820000 0x1410822fff Memory Mapped File rwx False False False -
private_0x0000001410860000 0x1410860000 0x141095ffff Private Memory rw True False False -
private_0x0000001410960000 0x1410960000 0x14109dffff Private Memory rw True False False -
netmsg.dll.mui 0x14109e0000 0x1410a11fff Memory Mapped File r False False False -
private_0x0000001410ab0000 0x1410ab0000 0x1410abffff Private Memory rw True False False -
pagefile_0x00007df5ff4a0000 0x7df5ff4a0000 0x7ff5ff49ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff719d20000 0x7ff719d20000 0x7ff719e1ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff719e20000 0x7ff719e20000 0x7ff719e42fff Pagefile Backed Memory r True False False -
private_0x00007ff719e44000 0x7ff719e44000 0x7ff719e44fff Private Memory rw True False False -
private_0x00007ff719e4c000 0x7ff719e4c000 0x7ff719e4dfff Private Memory rw True False False -
private_0x00007ff719e4e000 0x7ff719e4e000 0x7ff719e4ffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
browcli.dll 0x7ffc513c0000 0x7ffc513d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x1410820000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #32: net.exe
0 0
»
Information Value
ID #32
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:36, Reason: Child Process
Unmonitor End Time: 00:02:37, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x910
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A70
0x F64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000004f93ae0000 0x4f93ae0000 0x4f93afffff Private Memory rw True False False -
pagefile_0x0000004f93ae0000 0x4f93ae0000 0x4f93aeffff Pagefile Backed Memory rw True False False -
pagefile_0x0000004f93b00000 0x4f93b00000 0x4f93b13fff Pagefile Backed Memory r True False False -
private_0x0000004f93b20000 0x4f93b20000 0x4f93b9ffff Private Memory rw True False False -
pagefile_0x0000004f93ba0000 0x4f93ba0000 0x4f93ba3fff Pagefile Backed Memory r True False False -
pagefile_0x0000004f93bb0000 0x4f93bb0000 0x4f93bb0fff Pagefile Backed Memory r True False False -
private_0x0000004f93bc0000 0x4f93bc0000 0x4f93bc1fff Private Memory rw True False False -
private_0x0000004f93bf0000 0x4f93bf0000 0x4f93ceffff Private Memory rw True False False -
locale.nls 0x4f93cf0000 0x4f93dadfff Memory Mapped File r False False False -
pagefile_0x00007df5ffac0000 0x7df5ffac0000 0x7ff5ffabffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff705c90000 0x7ff705c90000 0x7ff705d8ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff705d90000 0x7ff705d90000 0x7ff705db2fff Pagefile Backed Memory r True False False -
private_0x00007ff705db7000 0x7ff705db7000 0x7ff705db7fff Private Memory rw True False False -
private_0x00007ff705dbe000 0x7ff705dbe000 0x7ff705dbffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #34: net1.exe
20 0
»
Information Value
ID #34
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:36, Reason: Child Process
Unmonitor End Time: 00:02:37, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfa0
Parent PID 0x910 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FA4
0x EBC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000584caf0000 0x584caf0000 0x584cb0ffff Private Memory rw True False False -
pagefile_0x000000584caf0000 0x584caf0000 0x584cafffff Pagefile Backed Memory rw True False False -
private_0x000000584cb00000 0x584cb00000 0x584cb06fff Private Memory rw True False False -
pagefile_0x000000584cb10000 0x584cb10000 0x584cb23fff Pagefile Backed Memory r True False False -
private_0x000000584cb30000 0x584cb30000 0x584cbaffff Private Memory rw True False False -
pagefile_0x000000584cbb0000 0x584cbb0000 0x584cbb3fff Pagefile Backed Memory r True False False -
pagefile_0x000000584cbc0000 0x584cbc0000 0x584cbc0fff Pagefile Backed Memory r True False False -
private_0x000000584cbd0000 0x584cbd0000 0x584cbd1fff Private Memory rw True False False -
private_0x000000584cbe0000 0x584cbe0000 0x584cbe6fff Private Memory rw True False False -
netmsg.dll 0x584cbf0000 0x584cbf2fff Memory Mapped File rwx False False False -
private_0x000000584cc20000 0x584cc20000 0x584cd1ffff Private Memory rw True False False -
locale.nls 0x584cd20000 0x584cdddfff Memory Mapped File r False False False -
private_0x000000584cde0000 0x584cde0000 0x584ce5ffff Private Memory rw True False False -
netmsg.dll.mui 0x584ce60000 0x584ce91fff Memory Mapped File r False False False -
private_0x000000584cf20000 0x584cf20000 0x584cf2ffff Private Memory rw True False False -
pagefile_0x00007df5ffba0000 0x7df5ffba0000 0x7ff5ffb9ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff719b20000 0x7ff719b20000 0x7ff719c1ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff719c20000 0x7ff719c20000 0x7ff719c42fff Pagefile Backed Memory r True False False -
private_0x00007ff719c4b000 0x7ff719c4b000 0x7ff719c4cfff Private Memory rw True False False -
private_0x00007ff719c4d000 0x7ff719c4d000 0x7ff719c4efff Private Memory rw True False False -
private_0x00007ff719c4f000 0x7ff719c4f000 0x7ff719c4ffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc4d040000 0x7ffc4d053fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x584cbf0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #35: werfault.exe
0 0
»
Information Value
ID #35
File Name c:\windows\system32\werfault.exe
Command Line C:\Windows\system32\WerFault.exe -u -p 2040 -s 892
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:44, Reason: Child Process
Unmonitor End Time: 00:02:48, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb80
Parent PID 0x7f8 (c:\windows\system32\runtimebroker.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 518
0x 384
0x 728
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000000100000000 0x100000000 0x10001ffff Private Memory rw True False False -
pagefile_0x0000000100000000 0x100000000 0x10000ffff Pagefile Backed Memory rw True False False -
private_0x0000000100010000 0x100010000 0x100016fff Private Memory rw True False False -
pagefile_0x0000000100020000 0x100020000 0x100033fff Pagefile Backed Memory r True False False -
private_0x0000000100040000 0x100040000 0x1000bffff Private Memory rw True False False -
pagefile_0x00000001000c0000 0x1000c0000 0x1000c3fff Pagefile Backed Memory r True False False -
pagefile_0x00000001000d0000 0x1000d0000 0x1000d2fff Pagefile Backed Memory r True False False -
private_0x00000001000e0000 0x1000e0000 0x1000e1fff Private Memory rw True False False -
locale.nls 0x1000f0000 0x1001adfff Memory Mapped File r False False False -
private_0x00000001001b0000 0x1001b0000 0x10022ffff Private Memory rw True False False -
private_0x0000000100230000 0x100230000 0x100236fff Private Memory rw True False False -
werfault.exe.mui 0x100240000 0x100243fff Memory Mapped File r False False False -
private_0x0000000100250000 0x100250000 0x100250fff Private Memory rw True False False -
private_0x0000000100260000 0x100260000 0x100260fff Private Memory rw True False False -
pagefile_0x0000000100270000 0x100270000 0x100270fff Pagefile Backed Memory rw True False False -
private_0x0000000100280000 0x100280000 0x100280fff Private Memory rw True False False -
faultrep.dll.mui 0x100290000 0x100291fff Memory Mapped File r False False False -
private_0x00000001002a0000 0x1002a0000 0x1002affff Private Memory rw True False False -
private_0x00000001002b0000 0x1002b0000 0x1003affff Private Memory rw True False False -
ntdll.dll.mui 0x1003b0000 0x100415fff Memory Mapped File r False False False -
private_0x0000000100490000 0x100490000 0x10049ffff Private Memory rw True False False -
pagefile_0x00000001004a0000 0x1004a0000 0x100627fff Pagefile Backed Memory r True False False -
pagefile_0x0000000100630000 0x100630000 0x1007b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000001007c0000 0x1007c0000 0x101bbffff Pagefile Backed Memory r True False False -
private_0x0000000101c40000 0x101c40000 0x101d3ffff Private Memory rw True False False -
private_0x0000000101d60000 0x101d60000 0x101d6ffff Private Memory rw True False False -
sortdefault.nls 0x101d70000 0x1020a6fff Memory Mapped File r False False False -
pagefile_0x00007df5ff470000 0x7df5ff470000 0x7ff5ff46ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff65d9c0000 0x7ff65d9c0000 0x7ff65dabffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff65dac0000 0x7ff65dac0000 0x7ff65dae2fff Pagefile Backed Memory r True False False -
private_0x00007ff65daea000 0x7ff65daea000 0x7ff65daebfff Private Memory rw True False False -
private_0x00007ff65daec000 0x7ff65daec000 0x7ff65daecfff Private Memory rw True False False -
private_0x00007ff65daee000 0x7ff65daee000 0x7ff65daeffff Private Memory rw True False False -
werfault.exe 0x7ff65dca0000 0x7ff65dceafff Memory Mapped File rwx False False False -
dbgeng.dll 0x7ffc3e170000 0x7ffc3e64bfff Memory Mapped File rwx False False False -
wer.dll 0x7ffc3ec10000 0x7ffc3ecadfff Memory Mapped File rwx False False False -
dbghelp.dll 0x7ffc3f1e0000 0x7ffc3f369fff Memory Mapped File rwx False False False -
dbgmodel.dll 0x7ffc48e30000 0x7ffc48ec0fff Memory Mapped File rwx False False False -
faultrep.dll 0x7ffc4d480000 0x7ffc4d4ddfff Memory Mapped File rwx False False False -
xmllite.dll 0x7ffc4fb00000 0x7ffc4fb35fff Memory Mapped File rwx False False False -
dbgcore.dll 0x7ffc50db0000 0x7ffc50dd4fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7ffc52d70000 0x7ffc52e05fff Memory Mapped File rwx False False False -
devobj.dll 0x7ffc52ef0000 0x7ffc52f16fff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7ffc543d0000 0x7ffc5443afff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7ffc54610000 0x7ffc5461efff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7ffc54620000 0x7ffc54663fff Memory Mapped File rwx False False False -
shcore.dll 0x7ffc54f80000 0x7ffc55032fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
imm32.dll 0x7ffc55280000 0x7ffc552b5fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
msctf.dll 0x7ffc55380000 0x7ffc554dbfff Memory Mapped File rwx False False False -
user32.dll 0x7ffc554e0000 0x7ffc5562dfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7ffc55910000 0x7ffc559cdfff Memory Mapped File rwx False False False -
gdi32.dll 0x7ffc56f10000 0x7ffc57094fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
combase.dll 0x7ffc571d0000 0x7ffc5744bfff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
advapi32.dll 0x7ffc57aa0000 0x7ffc57b45fff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #36: net.exe
0 0
»
Information Value
ID #36
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:45, Reason: Child Process
Unmonitor End Time: 00:02:49, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8a8
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 4D0
0x 858
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000028ae810000 0x28ae810000 0x28ae82ffff Private Memory rw True False False -
pagefile_0x00000028ae810000 0x28ae810000 0x28ae81ffff Pagefile Backed Memory rw True False False -
pagefile_0x00000028ae830000 0x28ae830000 0x28ae843fff Pagefile Backed Memory r True False False -
private_0x00000028ae850000 0x28ae850000 0x28ae8cffff Private Memory rw True False False -
pagefile_0x00000028ae8d0000 0x28ae8d0000 0x28ae8d3fff Pagefile Backed Memory r True False False -
pagefile_0x00000028ae8e0000 0x28ae8e0000 0x28ae8e0fff Pagefile Backed Memory r True False False -
private_0x00000028ae8f0000 0x28ae8f0000 0x28ae8f1fff Private Memory rw True False False -
private_0x00000028ae9a0000 0x28ae9a0000 0x28aea9ffff Private Memory rw True False False -
locale.nls 0x28aeaa0000 0x28aeb5dfff Memory Mapped File r False False False -
pagefile_0x00007df5ff340000 0x7df5ff340000 0x7ff5ff33ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7056a0000 0x7ff7056a0000 0x7ff70579ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7057a0000 0x7ff7057a0000 0x7ff7057c2fff Pagefile Backed Memory r True False False -
private_0x00007ff7057c9000 0x7ff7057c9000 0x7ff7057c9fff Private Memory rw True False False -
private_0x00007ff7057ce000 0x7ff7057ce000 0x7ff7057cffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #38: runtimebroker.exe
0 0
»
Information Value
ID #38
File Name c:\windows\system32\runtimebroker.exe
Command Line C:\Windows\System32\RuntimeBroker.exe -Embedding
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:46, Reason: Child Process
Unmonitor End Time: 00:02:47, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x490
Parent PID 0x7f8 (c:\windows\system32\runtimebroker.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs -
Process #39: net1.exe
20 0
»
Information Value
ID #39
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:46, Reason: Child Process
Unmonitor End Time: 00:02:49, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0xee0
Parent PID 0x8a8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F04
0x 7B4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000005c1d590000 0x5c1d590000 0x5c1d5affff Private Memory rw True False False -
pagefile_0x0000005c1d590000 0x5c1d590000 0x5c1d59ffff Pagefile Backed Memory rw True False False -
private_0x0000005c1d5a0000 0x5c1d5a0000 0x5c1d5a6fff Private Memory rw True False False -
pagefile_0x0000005c1d5b0000 0x5c1d5b0000 0x5c1d5c3fff Pagefile Backed Memory r True False False -
private_0x0000005c1d5d0000 0x5c1d5d0000 0x5c1d64ffff Private Memory rw True False False -
pagefile_0x0000005c1d650000 0x5c1d650000 0x5c1d653fff Pagefile Backed Memory r True False False -
pagefile_0x0000005c1d660000 0x5c1d660000 0x5c1d660fff Pagefile Backed Memory r True False False -
private_0x0000005c1d670000 0x5c1d670000 0x5c1d671fff Private Memory rw True False False -
locale.nls 0x5c1d680000 0x5c1d73dfff Memory Mapped File r False False False -
private_0x0000005c1d740000 0x5c1d740000 0x5c1d7bffff Private Memory rw True False False -
private_0x0000005c1d7c0000 0x5c1d7c0000 0x5c1d7c6fff Private Memory rw True False False -
netmsg.dll 0x5c1d7d0000 0x5c1d7d2fff Memory Mapped File rwx False False False -
netmsg.dll.mui 0x5c1d7e0000 0x5c1d811fff Memory Mapped File r False False False -
private_0x0000005c1d850000 0x5c1d850000 0x5c1d94ffff Private Memory rw True False False -
private_0x0000005c1dad0000 0x5c1dad0000 0x5c1dadffff Private Memory rw True False False -
pagefile_0x00007df5ff880000 0x7df5ff880000 0x7ff5ff87ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7193d0000 0x7ff7193d0000 0x7ff7194cffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7194d0000 0x7ff7194d0000 0x7ff7194f2fff Pagefile Backed Memory r True False False -
private_0x00007ff7194fb000 0x7ff7194fb000 0x7ff7194fcfff Private Memory rw True False False -
private_0x00007ff7194fd000 0x7ff7194fd000 0x7ff7194fdfff Private Memory rw True False False -
private_0x00007ff7194fe000 0x7ff7194fe000 0x7ff7194fffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc4d000000 0x7ffc4d013fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x5c1d7d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #40: net.exe
0 0
»
Information Value
ID #40
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:46, Reason: Child Process
Unmonitor End Time: 00:02:50, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf00
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EFC
0x F94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000e702050000 0xe702050000 0xe70206ffff Private Memory rw True False False -
pagefile_0x000000e702050000 0xe702050000 0xe70205ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000e702070000 0xe702070000 0xe702083fff Pagefile Backed Memory r True False False -
private_0x000000e702090000 0xe702090000 0xe70210ffff Private Memory rw True False False -
pagefile_0x000000e702110000 0xe702110000 0xe702113fff Pagefile Backed Memory r True False False -
pagefile_0x000000e702120000 0xe702120000 0xe702120fff Pagefile Backed Memory r True False False -
private_0x000000e702130000 0xe702130000 0xe702131fff Private Memory rw True False False -
private_0x000000e7021b0000 0xe7021b0000 0xe7022affff Private Memory rw True False False -
locale.nls 0xe7022b0000 0xe70236dfff Memory Mapped File r False False False -
pagefile_0x00007df5ff670000 0x7df5ff670000 0x7ff5ff66ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff705830000 0x7ff705830000 0x7ff70592ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff705930000 0x7ff705930000 0x7ff705952fff Pagefile Backed Memory r True False False -
private_0x00007ff705955000 0x7ff705955000 0x7ff705955fff Private Memory rw True False False -
private_0x00007ff70595e000 0x7ff70595e000 0x7ff70595ffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #42: net1.exe
20 0
»
Information Value
ID #42
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:49, Reason: Child Process
Unmonitor End Time: 00:02:50, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xff8
Parent PID 0xf00 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E24
0x D84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000ae20010000 0xae20010000 0xae2002ffff Private Memory rw True False False -
pagefile_0x000000ae20010000 0xae20010000 0xae2001ffff Pagefile Backed Memory rw True False False -
private_0x000000ae20020000 0xae20020000 0xae20026fff Private Memory rw True False False -
pagefile_0x000000ae20030000 0xae20030000 0xae20043fff Pagefile Backed Memory r True False False -
private_0x000000ae20050000 0xae20050000 0xae200cffff Private Memory rw True False False -
pagefile_0x000000ae200d0000 0xae200d0000 0xae200d3fff Pagefile Backed Memory r True False False -
pagefile_0x000000ae200e0000 0xae200e0000 0xae200e0fff Pagefile Backed Memory r True False False -
private_0x000000ae200f0000 0xae200f0000 0xae200f1fff Private Memory rw True False False -
private_0x000000ae20100000 0xae20100000 0xae2017ffff Private Memory rw True False False -
private_0x000000ae20180000 0xae20180000 0xae20186fff Private Memory rw True False False -
netmsg.dll 0xae20190000 0xae20192fff Memory Mapped File rwx False False False -
private_0x000000ae201a0000 0xae201a0000 0xae2029ffff Private Memory rw True False False -
locale.nls 0xae202a0000 0xae2035dfff Memory Mapped File r False False False -
netmsg.dll.mui 0xae20360000 0xae20391fff Memory Mapped File r False False False -
private_0x000000ae204a0000 0xae204a0000 0xae204affff Private Memory rw True False False -
pagefile_0x00007df5ff200000 0x7df5ff200000 0x7ff5ff1fffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff71a090000 0x7ff71a090000 0x7ff71a18ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff71a190000 0x7ff71a190000 0x7ff71a1b2fff Pagefile Backed Memory r True False False -
private_0x00007ff71a1bb000 0x7ff71a1bb000 0x7ff71a1bcfff Private Memory rw True False False -
private_0x00007ff71a1bd000 0x7ff71a1bd000 0x7ff71a1bdfff Private Memory rw True False False -
private_0x00007ff71a1be000 0x7ff71a1be000 0x7ff71a1bffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc4d000000 0x7ffc4d013fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0xae20190000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #43: werfault.exe
0 0
»
Information Value
ID #43
File Name c:\windows\system32\werfault.exe
Command Line C:\Windows\system32\WerFault.exe -u -p 3976 -s 900
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:55, Reason: Child Process
Unmonitor End Time: 00:05:22, Reason: Terminated by Timeout
Monitor Duration 00:02:27
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1130
Parent PID 0xf88 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 1134
0x 1140
0x 118C
0x 1304
0x 1314
0x 1318
0x 1080
0x 1154
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000083b9e60000 0x83b9e60000 0x83b9e7ffff Private Memory rw True False False -
pagefile_0x00000083b9e60000 0x83b9e60000 0x83b9e6ffff Pagefile Backed Memory rw True False False -
private_0x00000083b9e70000 0x83b9e70000 0x83b9e76fff Private Memory rw True False False -
pagefile_0x00000083b9e80000 0x83b9e80000 0x83b9e93fff Pagefile Backed Memory r True False False -
private_0x00000083b9ea0000 0x83b9ea0000 0x83b9f1ffff Private Memory rw True False False -
pagefile_0x00000083b9f20000 0x83b9f20000 0x83b9f23fff Pagefile Backed Memory r True False False -
pagefile_0x00000083b9f30000 0x83b9f30000 0x83b9f32fff Pagefile Backed Memory r True False False -
private_0x00000083b9f40000 0x83b9f40000 0x83b9f41fff Private Memory rw True False False -
private_0x00000083b9f50000 0x83b9f50000 0x83b9fcffff Private Memory rw True False False -
private_0x00000083b9fd0000 0x83b9fd0000 0x83b9fd6fff Private Memory rw True False False -
werfault.exe.mui 0x83b9fe0000 0x83b9fe3fff Memory Mapped File r False False False -
private_0x00000083b9ff0000 0x83b9ff0000 0x83ba0effff Private Memory rw True False False -
locale.nls 0x83ba0f0000 0x83ba1adfff Memory Mapped File r False False False -
private_0x00000083ba1b0000 0x83ba1b0000 0x83ba1b0fff Private Memory rw True False False -
private_0x00000083ba1c0000 0x83ba1c0000 0x83ba1c0fff Private Memory rw True False False -
pagefile_0x00000083ba1d0000 0x83ba1d0000 0x83ba1d0fff Pagefile Backed Memory rw True False False -
private_0x00000083ba1e0000 0x83ba1e0000 0x83ba1e0fff Private Memory rw True False False -
private_0x00000083ba1f0000 0x83ba1f0000 0x83ba1fffff Private Memory rw True False False -
ntdll.dll.mui 0x83ba200000 0x83ba265fff Memory Mapped File r False False False -
faultrep.dll.mui 0x83ba270000 0x83ba271fff Memory Mapped File r False False False -
private_0x00000083ba280000 0x83ba280000 0x83ba280fff Private Memory rw True False False -
wer.dll.mui 0x83ba290000 0x83ba292fff Memory Mapped File r False False False -
private_0x00000083ba2a0000 0x83ba2a0000 0x83ba2a6fff Private Memory rw True False False -
pagefile_0x00000083ba2b0000 0x83ba2b0000 0x83ba2b1fff Pagefile Backed Memory r True False False -
pagefile_0x00000083ba2c0000 0x83ba2c0000 0x83ba2c1fff Pagefile Backed Memory r True False False -
werui.dll.mui 0x83ba2d0000 0x83ba2d4fff Memory Mapped File r False False False -
pagefile_0x00000083ba2e0000 0x83ba2e0000 0x83ba2e1fff Pagefile Backed Memory r True False False -
pagefile_0x00000083ba2f0000 0x83ba2f0000 0x83ba2f0fff Pagefile Backed Memory r True False False -
pagefile_0x00000083ba300000 0x83ba300000 0x83ba301fff Pagefile Backed Memory r True False False -
private_0x00000083ba330000 0x83ba330000 0x83ba33ffff Private Memory rw True False False -
pagefile_0x00000083ba340000 0x83ba340000 0x83ba4c7fff Pagefile Backed Memory r True False False -
pagefile_0x00000083ba4d0000 0x83ba4d0000 0x83ba650fff Pagefile Backed Memory r True False False -
pagefile_0x00000083ba660000 0x83ba660000 0x83bba5ffff Pagefile Backed Memory r True False False -
private_0x00000083bba60000 0x83bba60000 0x83bbb5ffff Private Memory rw True False False -
private_0x00000083bbbb0000 0x83bbbb0000 0x83bbbbffff Private Memory rw True False False -
sortdefault.nls 0x83bbbc0000 0x83bbef6fff Memory Mapped File r False False False -
private_0x00000083bbf00000 0x83bbf00000 0x83bbffffff Private Memory rw True False False -
private_0x00000083bc000000 0x83bc000000 0x83bc0fffff Private Memory rw True False False -
kernelbase.dll.mui 0x83bc100000 0x83bc1defff Memory Mapped File r False False False -
private_0x00000083bc1e0000 0x83bc1e0000 0x83bc2dffff Private Memory rw True False False -
private_0x00000083bc2e0000 0x83bc2e0000 0x83bc35ffff Private Memory rw True False False -
private_0x00000083bc360000 0x83bc360000 0x83bc3dffff Private Memory rw True False False -
private_0x00000083bc3e0000 0x83bc3e0000 0x83bc45ffff Private Memory rw True False False -
private_0x00000083bc460000 0x83bc460000 0x83bc4dffff Private Memory rw True False False -
private_0x00000083bc4e0000 0x83bc4e0000 0x83bc55ffff Private Memory rw True False False -
pagefile_0x00007df5ff970000 0x7df5ff970000 0x7ff5ff96ffff Pagefile Backed Memory - True False False -
private_0x00007ff65d4ac000 0x7ff65d4ac000 0x7ff65d4adfff Private Memory rw True False False -
private_0x00007ff65d4ae000 0x7ff65d4ae000 0x7ff65d4affff Private Memory rw True False False -
pagefile_0x00007ff65d4b0000 0x7ff65d4b0000 0x7ff65d5affff Pagefile Backed Memory r True False False -
pagefile_0x00007ff65d5b0000 0x7ff65d5b0000 0x7ff65d5d2fff Pagefile Backed Memory r True False False -
private_0x00007ff65d5d4000 0x7ff65d5d4000 0x7ff65d5d5fff Private Memory rw True False False -
private_0x00007ff65d5d6000 0x7ff65d5d6000 0x7ff65d5d7fff Private Memory rw True False False -
private_0x00007ff65d5d8000 0x7ff65d5d8000 0x7ff65d5d8fff Private Memory rw True False False -
private_0x00007ff65d5da000 0x7ff65d5da000 0x7ff65d5dbfff Private Memory rw True False False -
private_0x00007ff65d5dc000 0x7ff65d5dc000 0x7ff65d5ddfff Private Memory rw True False False -
private_0x00007ff65d5de000 0x7ff65d5de000 0x7ff65d5dffff Private Memory rw True False False -
werfault.exe 0x7ff65dca0000 0x7ff65dceafff Memory Mapped File rwx False False False -
dbgeng.dll 0x7ffc3e170000 0x7ffc3e64bfff Memory Mapped File rwx False False False -
wer.dll 0x7ffc3ec10000 0x7ffc3ecadfff Memory Mapped File rwx False False False -
dbghelp.dll 0x7ffc3f1e0000 0x7ffc3f369fff Memory Mapped File rwx False False False -
dui70.dll 0x7ffc3ff20000 0x7ffc400cffff Memory Mapped File rwx False False False -
dbgmodel.dll 0x7ffc48e30000 0x7ffc48ec0fff Memory Mapped File rwx False False False -
riched20.dll 0x7ffc48f50000 0x7ffc48feafff Memory Mapped File rwx False False False -
secur32.dll 0x7ffc4b6e0000 0x7ffc4b6ebfff Memory Mapped File rwx False False False -
version.dll 0x7ffc4b890000 0x7ffc4b899fff Memory Mapped File rwx False False False -
comctl32.dll 0x7ffc4cbd0000 0x7ffc4ce43fff Memory Mapped File rwx False False False -
werui.dll 0x7ffc4d060000 0x7ffc4d0d3fff Memory Mapped File rwx False False False -
msls31.dll 0x7ffc4d3d0000 0x7ffc4d407fff Memory Mapped File rwx False False False -
usp10.dll 0x7ffc4d410000 0x7ffc4d427fff Memory Mapped File rwx False False False -
faultrep.dll 0x7ffc4d480000 0x7ffc4d4ddfff Memory Mapped File rwx False False False -
duser.dll 0x7ffc4f3a0000 0x7ffc4f438fff Memory Mapped File rwx False False False -
xmllite.dll 0x7ffc4fb00000 0x7ffc4fb35fff Memory Mapped File rwx False False False -
dbgcore.dll 0x7ffc50db0000 0x7ffc50dd4fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7ffc52d70000 0x7ffc52e05fff Memory Mapped File rwx False False False -
devobj.dll 0x7ffc52ef0000 0x7ffc52f16fff Memory Mapped File rwx False False False -
ntmarta.dll 0x7ffc53920000 0x7ffc53951fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7ffc53a90000 0x7ffc53ac2fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7ffc54210000 0x7ffc54226fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7ffc54280000 0x7ffc5428afff Memory Mapped File rwx False False False -
sspicli.dll 0x7ffc54320000 0x7ffc5434bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7ffc543d0000 0x7ffc5443afff Memory Mapped File rwx False False False -
profapi.dll 0x7ffc54580000 0x7ffc54592fff Memory Mapped File rwx False False False -
powrprof.dll 0x7ffc545a0000 0x7ffc545e9fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7ffc54610000 0x7ffc5461efff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7ffc54620000 0x7ffc54663fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7ffc54670000 0x7ffc54c97fff Memory Mapped File rwx False False False -
shcore.dll 0x7ffc54f80000 0x7ffc55032fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
imm32.dll 0x7ffc55280000 0x7ffc552b5fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
msctf.dll 0x7ffc55380000 0x7ffc554dbfff Memory Mapped File rwx False False False -
user32.dll 0x7ffc554e0000 0x7ffc5562dfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7ffc55910000 0x7ffc559cdfff Memory Mapped File rwx False False False -
shell32.dll 0x7ffc559d0000 0x7ffc56ef4fff Memory Mapped File rwx False False False -
gdi32.dll 0x7ffc56f10000 0x7ffc57094fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
combase.dll 0x7ffc571d0000 0x7ffc5744bfff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ole32.dll 0x7ffc57750000 0x7ffc57890fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7ffc578a0000 0x7ffc578f0fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7ffc57970000 0x7ffc57a14fff Memory Mapped File rwx False False False -
advapi32.dll 0x7ffc57aa0000 0x7ffc57b45fff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #44: net.exe
0 0
»
Information Value
ID #44
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:56, Reason: Child Process
Unmonitor End Time: 00:02:59, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1170
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1174
0x 1214
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000d049aa0000 0xd049aa0000 0xd049abffff Private Memory rw True False False -
pagefile_0x000000d049aa0000 0xd049aa0000 0xd049aaffff Pagefile Backed Memory rw True False False -
pagefile_0x000000d049ac0000 0xd049ac0000 0xd049ad3fff Pagefile Backed Memory r True False False -
private_0x000000d049ae0000 0xd049ae0000 0xd049b5ffff Private Memory rw True False False -
pagefile_0x000000d049b60000 0xd049b60000 0xd049b63fff Pagefile Backed Memory r True False False -
pagefile_0x000000d049b70000 0xd049b70000 0xd049b70fff Pagefile Backed Memory r True False False -
private_0x000000d049b80000 0xd049b80000 0xd049b81fff Private Memory rw True False False -
private_0x000000d049bf0000 0xd049bf0000 0xd049ceffff Private Memory rw True False False -
locale.nls 0xd049cf0000 0xd049dadfff Memory Mapped File r False False False -
pagefile_0x00007df5ff610000 0x7df5ff610000 0x7ff5ff60ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7056c0000 0x7ff7056c0000 0x7ff7057bffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7057c0000 0x7ff7057c0000 0x7ff7057e2fff Pagefile Backed Memory r True False False -
private_0x00007ff7057ed000 0x7ff7057ed000 0x7ff7057eefff Private Memory rw True False False -
private_0x00007ff7057ef000 0x7ff7057ef000 0x7ff7057effff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #46: svchost.exe
0 0
»
Information Value
ID #46
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:57, Reason: Child Process
Unmonitor End Time: 00:05:22, Reason: Terminated by Timeout
Monitor Duration 00:02:25
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1188
Parent PID 0xf88 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs -
Process #47: net.exe
0 0
»
Information Value
ID #47
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:57, Reason: Child Process
Unmonitor End Time: 00:03:00, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1260
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1264
0x 1310
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000066de8a0000 0x66de8a0000 0x66de8bffff Private Memory rw True False False -
pagefile_0x00000066de8a0000 0x66de8a0000 0x66de8affff Pagefile Backed Memory rw True False False -
pagefile_0x00000066de8c0000 0x66de8c0000 0x66de8d3fff Pagefile Backed Memory r True False False -
private_0x00000066de8e0000 0x66de8e0000 0x66de95ffff Private Memory rw True False False -
pagefile_0x00000066de960000 0x66de960000 0x66de963fff Pagefile Backed Memory r True False False -
pagefile_0x00000066de970000 0x66de970000 0x66de970fff Pagefile Backed Memory r True False False -
private_0x00000066de980000 0x66de980000 0x66de981fff Private Memory rw True False False -
locale.nls 0x66de990000 0x66dea4dfff Memory Mapped File r False False False -
private_0x00000066dea90000 0x66dea90000 0x66deb8ffff Private Memory rw True False False -
pagefile_0x00007df5ffdc0000 0x7df5ffdc0000 0x7ff5ffdbffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff706200000 0x7ff706200000 0x7ff7062fffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff706300000 0x7ff706300000 0x7ff706322fff Pagefile Backed Memory r True False False -
private_0x00007ff70632d000 0x7ff70632d000 0x7ff70632efff Private Memory rw True False False -
private_0x00007ff70632f000 0x7ff70632f000 0x7ff70632ffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #48: net1.exe
20 0
»
Information Value
ID #48
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:57, Reason: Child Process
Unmonitor End Time: 00:02:59, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x1268
Parent PID 0x1170 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 126C
0x 12EC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000f4112c0000 0xf4112c0000 0xf4112dffff Private Memory rw True False False -
pagefile_0x000000f4112c0000 0xf4112c0000 0xf4112cffff Pagefile Backed Memory rw True False False -
private_0x000000f4112d0000 0xf4112d0000 0xf4112d6fff Private Memory rw True False False -
pagefile_0x000000f4112e0000 0xf4112e0000 0xf4112f3fff Pagefile Backed Memory r True False False -
private_0x000000f411300000 0xf411300000 0xf41137ffff Private Memory rw True False False -
pagefile_0x000000f411380000 0xf411380000 0xf411383fff Pagefile Backed Memory r True False False -
pagefile_0x000000f411390000 0xf411390000 0xf411390fff Pagefile Backed Memory r True False False -
private_0x000000f4113a0000 0xf4113a0000 0xf4113a1fff Private Memory rw True False False -
locale.nls 0xf4113b0000 0xf41146dfff Memory Mapped File r False False False -
private_0x000000f411470000 0xf411470000 0xf4114effff Private Memory rw True False False -
private_0x000000f4114f0000 0xf4114f0000 0xf4114f6fff Private Memory rw True False False -
netmsg.dll 0xf411500000 0xf411502fff Memory Mapped File rwx False False False -
netmsg.dll.mui 0xf411510000 0xf411541fff Memory Mapped File r False False False -
private_0x000000f411560000 0xf411560000 0xf41165ffff Private Memory rw True False False -
private_0x000000f411850000 0xf411850000 0xf41185ffff Private Memory rw True False False -
pagefile_0x00007df5ff670000 0x7df5ff670000 0x7ff5ff66ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff719840000 0x7ff719840000 0x7ff71993ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff719940000 0x7ff719940000 0x7ff719962fff Pagefile Backed Memory r True False False -
private_0x00007ff719965000 0x7ff719965000 0x7ff719965fff Private Memory rw True False False -
private_0x00007ff71996c000 0x7ff71996c000 0x7ff71996dfff Private Memory rw True False False -
private_0x00007ff71996e000 0x7ff71996e000 0x7ff71996ffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc4d210000 0x7ffc4d223fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0xf411500000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #50: net1.exe
20 0
»
Information Value
ID #50
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:02:59, Reason: Child Process
Unmonitor End Time: 00:03:00, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x134c
Parent PID 0x1260 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1350
0x 13A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000006cde4f0000 0x6cde4f0000 0x6cde50ffff Private Memory rw True False False -
pagefile_0x0000006cde4f0000 0x6cde4f0000 0x6cde4fffff Pagefile Backed Memory rw True False False -
private_0x0000006cde500000 0x6cde500000 0x6cde506fff Private Memory rw True False False -
pagefile_0x0000006cde510000 0x6cde510000 0x6cde523fff Pagefile Backed Memory r True False False -
private_0x0000006cde530000 0x6cde530000 0x6cde5affff Private Memory rw True False False -
pagefile_0x0000006cde5b0000 0x6cde5b0000 0x6cde5b3fff Pagefile Backed Memory r True False False -
pagefile_0x0000006cde5c0000 0x6cde5c0000 0x6cde5c0fff Pagefile Backed Memory r True False False -
private_0x0000006cde5d0000 0x6cde5d0000 0x6cde5d1fff Private Memory rw True False False -
private_0x0000006cde5e0000 0x6cde5e0000 0x6cde5e6fff Private Memory rw True False False -
netmsg.dll 0x6cde5f0000 0x6cde5f2fff Memory Mapped File rwx False False False -
private_0x0000006cde600000 0x6cde600000 0x6cde6fffff Private Memory rw True False False -
locale.nls 0x6cde700000 0x6cde7bdfff Memory Mapped File r False False False -
private_0x0000006cde7c0000 0x6cde7c0000 0x6cde83ffff Private Memory rw True False False -
netmsg.dll.mui 0x6cde840000 0x6cde871fff Memory Mapped File r False False False -
private_0x0000006cde9e0000 0x6cde9e0000 0x6cde9effff Private Memory rw True False False -
pagefile_0x00007df5ff1c0000 0x7df5ff1c0000 0x7ff5ff1bffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7198a0000 0x7ff7198a0000 0x7ff71999ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7199a0000 0x7ff7199a0000 0x7ff7199c2fff Pagefile Backed Memory r True False False -
private_0x00007ff7199ca000 0x7ff7199ca000 0x7ff7199cbfff Private Memory rw True False False -
private_0x00007ff7199cc000 0x7ff7199cc000 0x7ff7199ccfff Private Memory rw True False False -
private_0x00007ff7199ce000 0x7ff7199ce000 0x7ff7199cffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc4d210000 0x7ffc4d223fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x6cde5f0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #51: net.exe
0 0
»
Information Value
ID #51
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:03:07, Reason: Child Process
Unmonitor End Time: 00:03:11, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1528
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 152C
0x 165C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000c8f0ce0000 0xc8f0ce0000 0xc8f0cfffff Private Memory rw True False False -
pagefile_0x000000c8f0ce0000 0xc8f0ce0000 0xc8f0ceffff Pagefile Backed Memory rw True False False -
pagefile_0x000000c8f0d00000 0xc8f0d00000 0xc8f0d13fff Pagefile Backed Memory r True False False -
private_0x000000c8f0d20000 0xc8f0d20000 0xc8f0d9ffff Private Memory rw True False False -
pagefile_0x000000c8f0da0000 0xc8f0da0000 0xc8f0da3fff Pagefile Backed Memory r True False False -
pagefile_0x000000c8f0db0000 0xc8f0db0000 0xc8f0db0fff Pagefile Backed Memory r True False False -
private_0x000000c8f0dc0000 0xc8f0dc0000 0xc8f0dc1fff Private Memory rw True False False -
locale.nls 0xc8f0dd0000 0xc8f0e8dfff Memory Mapped File r False False False -
private_0x000000c8f0ec0000 0xc8f0ec0000 0xc8f0fbffff Private Memory rw True False False -
pagefile_0x00007df5ff300000 0x7df5ff300000 0x7ff5ff2fffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff705e50000 0x7ff705e50000 0x7ff705f4ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff705f50000 0x7ff705f50000 0x7ff705f72fff Pagefile Backed Memory r True False False -
private_0x00007ff705f7b000 0x7ff705f7b000 0x7ff705f7bfff Private Memory rw True False False -
private_0x00007ff705f7e000 0x7ff705f7e000 0x7ff705f7ffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #53: net.exe
0 0
»
Information Value
ID #53
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:03:08, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1670
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1674
0x 1754
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000039b1430000 0x39b1430000 0x39b144ffff Private Memory rw True False False -
pagefile_0x00000039b1430000 0x39b1430000 0x39b143ffff Pagefile Backed Memory rw True False False -
pagefile_0x00000039b1450000 0x39b1450000 0x39b1463fff Pagefile Backed Memory r True False False -
private_0x00000039b1470000 0x39b1470000 0x39b14effff Private Memory rw True False False -
pagefile_0x00000039b14f0000 0x39b14f0000 0x39b14f3fff Pagefile Backed Memory r True False False -
pagefile_0x00000039b1500000 0x39b1500000 0x39b1500fff Pagefile Backed Memory r True False False -
private_0x00000039b1510000 0x39b1510000 0x39b1511fff Private Memory rw True False False -
locale.nls 0x39b1520000 0x39b15ddfff Memory Mapped File r False False False -
private_0x00000039b1660000 0x39b1660000 0x39b175ffff Private Memory rw True False False -
pagefile_0x00007df5ff770000 0x7df5ff770000 0x7ff5ff76ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff705b70000 0x7ff705b70000 0x7ff705c6ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff705c70000 0x7ff705c70000 0x7ff705c92fff Pagefile Backed Memory r True False False -
private_0x00007ff705c9d000 0x7ff705c9d000 0x7ff705c9efff Private Memory rw True False False -
private_0x00007ff705c9f000 0x7ff705c9f000 0x7ff705c9ffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #54: net1.exe
20 0
»
Information Value
ID #54
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:03:08, Reason: Child Process
Unmonitor End Time: 00:03:10, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x1698
Parent PID 0x1528 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 169C
0x 16FC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000098ba5e0000 0x98ba5e0000 0x98ba5fffff Private Memory rw True False False -
pagefile_0x00000098ba5e0000 0x98ba5e0000 0x98ba5effff Pagefile Backed Memory rw True False False -
private_0x00000098ba5f0000 0x98ba5f0000 0x98ba5f6fff Private Memory rw True False False -
pagefile_0x00000098ba600000 0x98ba600000 0x98ba613fff Pagefile Backed Memory r True False False -
private_0x00000098ba620000 0x98ba620000 0x98ba69ffff Private Memory rw True False False -
pagefile_0x00000098ba6a0000 0x98ba6a0000 0x98ba6a3fff Pagefile Backed Memory r True False False -
pagefile_0x00000098ba6b0000 0x98ba6b0000 0x98ba6b0fff Pagefile Backed Memory r True False False -
private_0x00000098ba6c0000 0x98ba6c0000 0x98ba6c1fff Private Memory rw True False False -
private_0x00000098ba6d0000 0x98ba6d0000 0x98ba74ffff Private Memory rw True False False -
private_0x00000098ba750000 0x98ba750000 0x98ba756fff Private Memory rw True False False -
private_0x00000098ba760000 0x98ba760000 0x98ba85ffff Private Memory rw True False False -
locale.nls 0x98ba860000 0x98ba91dfff Memory Mapped File r False False False -
netmsg.dll 0x98ba920000 0x98ba922fff Memory Mapped File rwx False False False -
netmsg.dll.mui 0x98ba930000 0x98ba961fff Memory Mapped File r False False False -
private_0x00000098bab10000 0x98bab10000 0x98bab1ffff Private Memory rw True False False -
pagefile_0x00007df5ff5d0000 0x7df5ff5d0000 0x7ff5ff5cffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff719870000 0x7ff719870000 0x7ff71996ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff719970000 0x7ff719970000 0x7ff719992fff Pagefile Backed Memory r True False False -
private_0x00007ff71999b000 0x7ff71999b000 0x7ff71999bfff Private Memory rw True False False -
private_0x00007ff71999c000 0x7ff71999c000 0x7ff71999dfff Private Memory rw True False False -
private_0x00007ff71999e000 0x7ff71999e000 0x7ff71999ffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505c0000 0x7ffc505d3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x98ba920000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #56: net1.exe
20 0
»
Information Value
ID #56
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:03:10, Reason: Child Process
Unmonitor End Time: 00:03:12, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x176c
Parent PID 0x1670 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1770
0x 17CC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000e7b87b0000 0xe7b87b0000 0xe7b87cffff Private Memory rw True False False -
pagefile_0x000000e7b87b0000 0xe7b87b0000 0xe7b87bffff Pagefile Backed Memory rw True False False -
private_0x000000e7b87c0000 0xe7b87c0000 0xe7b87c6fff Private Memory rw True False False -
pagefile_0x000000e7b87d0000 0xe7b87d0000 0xe7b87e3fff Pagefile Backed Memory r True False False -
private_0x000000e7b87f0000 0xe7b87f0000 0xe7b886ffff Private Memory rw True False False -
pagefile_0x000000e7b8870000 0xe7b8870000 0xe7b8873fff Pagefile Backed Memory r True False False -
pagefile_0x000000e7b8880000 0xe7b8880000 0xe7b8880fff Pagefile Backed Memory r True False False -
private_0x000000e7b8890000 0xe7b8890000 0xe7b8891fff Private Memory rw True False False -
private_0x000000e7b88a0000 0xe7b88a0000 0xe7b891ffff Private Memory rw True False False -
private_0x000000e7b8920000 0xe7b8920000 0xe7b8926fff Private Memory rw True False False -
netmsg.dll 0xe7b8930000 0xe7b8932fff Memory Mapped File rwx False False False -
private_0x000000e7b8950000 0xe7b8950000 0xe7b8a4ffff Private Memory rw True False False -
locale.nls 0xe7b8a50000 0xe7b8b0dfff Memory Mapped File r False False False -
netmsg.dll.mui 0xe7b8b10000 0xe7b8b41fff Memory Mapped File r False False False -
private_0x000000e7b8c20000 0xe7b8c20000 0xe7b8c2ffff Private Memory rw True False False -
pagefile_0x00007df5ffec0000 0x7df5ffec0000 0x7ff5ffebffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff719670000 0x7ff719670000 0x7ff71976ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff719770000 0x7ff719770000 0x7ff719792fff Pagefile Backed Memory r True False False -
private_0x00007ff71979b000 0x7ff71979b000 0x7ff71979cfff Private Memory rw True False False -
private_0x00007ff71979d000 0x7ff71979d000 0x7ff71979efff Private Memory rw True False False -
private_0x00007ff71979f000 0x7ff71979f000 0x7ff71979ffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505c0000 0x7ffc505d3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0xe7b8930000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #57: werfault.exe
0 0
»
Information Value
ID #57
File Name c:\windows\system32\werfault.exe
Command Line C:\Windows\system32\WerFault.exe -u -p 2532 -s 1012
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:12, Reason: Child Process
Unmonitor End Time: 00:03:26, Reason: Self Terminated
Monitor Duration 00:00:14
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x17f0
Parent PID 0x9e4 (c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 17F4
0x 17F8
0x 1534
0x 1558
0x 420
0x 1660
0x 193C
0x 1B0C
0x 1DB8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000031af9a0000 0x31af9a0000 0x31af9bffff Private Memory rw True False False -
pagefile_0x00000031af9a0000 0x31af9a0000 0x31af9affff Pagefile Backed Memory rw True False False -
private_0x00000031af9b0000 0x31af9b0000 0x31af9b6fff Private Memory rw True False False -
pagefile_0x00000031af9c0000 0x31af9c0000 0x31af9d3fff Pagefile Backed Memory r True False False -
private_0x00000031af9e0000 0x31af9e0000 0x31afa5ffff Private Memory rw True False False -
pagefile_0x00000031afa60000 0x31afa60000 0x31afa63fff Pagefile Backed Memory r True False False -
pagefile_0x00000031afa70000 0x31afa70000 0x31afa72fff Pagefile Backed Memory r True False False -
private_0x00000031afa80000 0x31afa80000 0x31afa81fff Private Memory rw True False False -
locale.nls 0x31afa90000 0x31afb4dfff Memory Mapped File r False False False -
private_0x00000031afb50000 0x31afb50000 0x31afb56fff Private Memory rw True False False -
private_0x00000031afb60000 0x31afb60000 0x31afc5ffff Private Memory rw True False False -
private_0x00000031afc60000 0x31afc60000 0x31afcdffff Private Memory rw True False False -
werfault.exe.mui 0x31afce0000 0x31afce3fff Memory Mapped File r False False False -
private_0x00000031afcf0000 0x31afcf0000 0x31afcf0fff Private Memory rw True False False -
private_0x00000031afd00000 0x31afd00000 0x31afd00fff Private Memory rw True False False -
private_0x00000031afd10000 0x31afd10000 0x31afd1ffff Private Memory rw True False False -
pagefile_0x00000031afd20000 0x31afd20000 0x31afd20fff Pagefile Backed Memory rw True False False -
pagefile_0x00000031afd30000 0x31afd30000 0x31afd30fff Pagefile Backed Memory r True False False -
pagefile_0x00000031afd40000 0x31afd40000 0x31afd40fff Pagefile Backed Memory r True False False -
private_0x00000031afd50000 0x31afd50000 0x31afd5ffff Private Memory rw True False False -
private_0x00000031afd60000 0x31afd60000 0x31afddffff Private Memory rw True False False -
private_0x00000031afde0000 0x31afde0000 0x31afe5ffff Private Memory rw True False False -
private_0x00000031afe60000 0x31afe60000 0x31afedffff Private Memory rw True False False -
private_0x00000031afee0000 0x31afee0000 0x31afeeffff Private Memory rw True False False -
pagefile_0x00000031afef0000 0x31afef0000 0x31b0077fff Pagefile Backed Memory r True False False -
pagefile_0x00000031b0080000 0x31b0080000 0x31b0200fff Pagefile Backed Memory r True False False -
pagefile_0x00000031b0210000 0x31b0210000 0x31b160ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x31b1610000 0x31b1946fff Memory Mapped File r False False False -
ntdll.dll.mui 0x31b1950000 0x31b19b5fff Memory Mapped File r False False False -
faultrep.dll.mui 0x31b19c0000 0x31b19c1fff Memory Mapped File r False False False -
wer.dll.mui 0x31b19d0000 0x31b19d2fff Memory Mapped File r False False False -
private_0x00000031b19e0000 0x31b19e0000 0x31b19e6fff Private Memory rw True False False -
pagefile_0x00000031b19f0000 0x31b19f0000 0x31b19f1fff Pagefile Backed Memory r True False False -
pagefile_0x00000031b1a00000 0x31b1a00000 0x31b1a01fff Pagefile Backed Memory r True False False -
pagefile_0x00000031b1a10000 0x31b1a10000 0x31b1a10fff Pagefile Backed Memory rw True False False -
pagefile_0x00000031b1a20000 0x31b1a20000 0x31b1a21fff Pagefile Backed Memory r True False False -
winnlsres.dll 0x31b1a30000 0x31b1a34fff Memory Mapped File r False False False -
private_0x00000031b1a40000 0x31b1a40000 0x31b1b3ffff Private Memory rw True False False -
private_0x00000031b1b40000 0x31b1b40000 0x31b1c3ffff Private Memory rw True False False -
private_0x00000031b1c40000 0x31b1c40000 0x31b1d3ffff Private Memory rw True False False -
private_0x00000031b1d40000 0x31b1d40000 0x31b1f3ffff Private Memory rw True False False -
kernelbase.dll.mui 0x31b1f40000 0x31b201efff Memory Mapped File r False False False -
private_0x00000031b2020000 0x31b2020000 0x31b211ffff Private Memory rw True False False -
private_0x00000031b2120000 0x31b2120000 0x31b219ffff Private Memory rw True False False -
pagefile_0x00000031b21a0000 0x31b21a0000 0x31b21c9fff Pagefile Backed Memory rw True False False -
winnlsres.dll.mui 0x31b21d0000 0x31b21dffff Memory Mapped File r False False False -
mswsock.dll.mui 0x31b21e0000 0x31b21e2fff Memory Mapped File r False False False -
pagefile_0x00000031b21f0000 0x31b21f0000 0x31b21f1fff Pagefile Backed Memory rw True False False -
crypt32.dll.mui 0x31b2200000 0x31b2209fff Memory Mapped File r False False False -
private_0x00000031b2210000 0x31b2210000 0x31b228ffff Private Memory rw True False False -
pagefile_0x00007df5ffa10000 0x7df5ffa10000 0x7ff5ffa0ffff Pagefile Backed Memory - True False False -
private_0x00007ff65d82c000 0x7ff65d82c000 0x7ff65d82dfff Private Memory rw True False False -
private_0x00007ff65d82e000 0x7ff65d82e000 0x7ff65d82ffff Private Memory rw True False False -
pagefile_0x00007ff65d830000 0x7ff65d830000 0x7ff65d92ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff65d930000 0x7ff65d930000 0x7ff65d952fff Pagefile Backed Memory r True False False -
private_0x00007ff65d954000 0x7ff65d954000 0x7ff65d955fff Private Memory rw True False False -
private_0x00007ff65d956000 0x7ff65d956000 0x7ff65d956fff Private Memory rw True False False -
private_0x00007ff65d958000 0x7ff65d958000 0x7ff65d959fff Private Memory rw True False False -
private_0x00007ff65d95a000 0x7ff65d95a000 0x7ff65d95bfff Private Memory rw True False False -
private_0x00007ff65d95c000 0x7ff65d95c000 0x7ff65d95dfff Private Memory rw True False False -
private_0x00007ff65d95e000 0x7ff65d95e000 0x7ff65d95ffff Private Memory rw True False False -
werfault.exe 0x7ff65dca0000 0x7ff65dceafff Memory Mapped File rwx False False False -
wer.dll 0x7ffc3ec10000 0x7ffc3ecadfff Memory Mapped File rwx False False False -
dbghelp.dll 0x7ffc3f1e0000 0x7ffc3f369fff Memory Mapped File rwx False False False -
dui70.dll 0x7ffc3ff20000 0x7ffc400cffff Memory Mapped File rwx False False False -
mskeyprotect.dll 0x7ffc42390000 0x7ffc423a3fff Memory Mapped File rwx False False False -
ncryptsslp.dll 0x7ffc42440000 0x7ffc4245efff Memory Mapped File rwx False False False -
dbgeng.dll 0x7ffc45d30000 0x7ffc4620bfff Memory Mapped File rwx False False False -
actxprxy.dll 0x7ffc48ff0000 0x7ffc49459fff Memory Mapped File rwx False False False -
webio.dll 0x7ffc4a100000 0x7ffc4a17ffff Memory Mapped File rwx False False False -
npmproxy.dll 0x7ffc4b090000 0x7ffc4b09dfff Memory Mapped File rwx False False False -
secur32.dll 0x7ffc4b6e0000 0x7ffc4b6ebfff Memory Mapped File rwx False False False -
version.dll 0x7ffc4b890000 0x7ffc4b899fff Memory Mapped File rwx False False False -
ondemandconnroutehelper.dll 0x7ffc4b8c0000 0x7ffc4b8d4fff Memory Mapped File rwx False False False -
netprofm.dll 0x7ffc4c220000 0x7ffc4c25efff Memory Mapped File rwx False False False -
rasadhlp.dll 0x7ffc4c270000 0x7ffc4c279fff Memory Mapped File rwx False False False -
comctl32.dll 0x7ffc4cbd0000 0x7ffc4ce43fff Memory Mapped File rwx False False False -
werui.dll 0x7ffc4d060000 0x7ffc4d0d3fff Memory Mapped File rwx False False False -
cryptnet.dll 0x7ffc4d230000 0x7ffc4d25efff Memory Mapped File rwx False False False -
faultrep.dll 0x7ffc4d480000 0x7ffc4d4ddfff Memory Mapped File rwx False False False -
winhttp.dll 0x7ffc4d9d0000 0x7ffc4daa5fff Memory Mapped File rwx False False False -
xmllite.dll 0x7ffc4fb00000 0x7ffc4fb35fff Memory Mapped File rwx False False False -
windows.security.authentication.onlineid.dll 0x7ffc4fd50000 0x7ffc4fe02fff Memory Mapped File rwx False False False -
dbgmodel.dll 0x7ffc505a0000 0x7ffc50630fff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x7ffc50980000 0x7ffc509e7fff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7ffc50a50000 0x7ffc50a69fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7ffc50a70000 0x7ffc50a85fff Memory Mapped File rwx False False False -
dbgcore.dll 0x7ffc50db0000 0x7ffc50dd4fff Memory Mapped File rwx False False False -
winnsi.dll 0x7ffc51c30000 0x7ffc51c3afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7ffc51c50000 0x7ffc51c87fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7ffc52d70000 0x7ffc52e05fff Memory Mapped File rwx False False False -
devobj.dll 0x7ffc52ef0000 0x7ffc52f16fff Memory Mapped File rwx False False False -
twinapi.appcore.dll 0x7ffc52f40000 0x7ffc5302dfff Memory Mapped File rwx False False False -
gpapi.dll 0x7ffc534a0000 0x7ffc534c2fff Memory Mapped File rwx False False False -
ntmarta.dll 0x7ffc53920000 0x7ffc53951fff Memory Mapped File rwx False False False -
schannel.dll 0x7ffc53980000 0x7ffc539f3fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7ffc53a90000 0x7ffc53ac2fff Memory Mapped File rwx False False False -
userenv.dll 0x7ffc53b80000 0x7ffc53b9efff Memory Mapped File rwx False False False -
dnsapi.dll 0x7ffc53be0000 0x7ffc53c87fff Memory Mapped File rwx False False False -
mswsock.dll 0x7ffc53dd0000 0x7ffc53e2cfff Memory Mapped File rwx False False False -
ntasn1.dll 0x7ffc53f30000 0x7ffc53f65fff Memory Mapped File rwx False False False -
ncrypt.dll 0x7ffc53f70000 0x7ffc53f95fff Memory Mapped File rwx False False False -
dpapi.dll 0x7ffc541f0000 0x7ffc541f9fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7ffc54210000 0x7ffc54226fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7ffc54280000 0x7ffc5428afff Memory Mapped File rwx False False False -
sspicli.dll 0x7ffc54320000 0x7ffc5434bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7ffc543d0000 0x7ffc5443afff Memory Mapped File rwx False False False -
profapi.dll 0x7ffc54580000 0x7ffc54592fff Memory Mapped File rwx False False False -
powrprof.dll 0x7ffc545a0000 0x7ffc545e9fff Memory Mapped File rwx False False False -
msasn1.dll 0x7ffc545f0000 0x7ffc54600fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7ffc54610000 0x7ffc5461efff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7ffc54620000 0x7ffc54663fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7ffc54670000 0x7ffc54c97fff Memory Mapped File rwx False False False -
crypt32.dll 0x7ffc54db0000 0x7ffc54f70fff Memory Mapped File rwx False False False -
shcore.dll 0x7ffc54f80000 0x7ffc55032fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
wldap32.dll 0x7ffc55220000 0x7ffc5527afff Memory Mapped File rwx False False False -
imm32.dll 0x7ffc55280000 0x7ffc552b5fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
msctf.dll 0x7ffc55380000 0x7ffc554dbfff Memory Mapped File rwx False False False -
user32.dll 0x7ffc554e0000 0x7ffc5562dfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7ffc55910000 0x7ffc559cdfff Memory Mapped File rwx False False False -
shell32.dll 0x7ffc559d0000 0x7ffc56ef4fff Memory Mapped File rwx False False False -
nsi.dll 0x7ffc56f00000 0x7ffc56f07fff Memory Mapped File rwx False False False -
gdi32.dll 0x7ffc56f10000 0x7ffc57094fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
combase.dll 0x7ffc571d0000 0x7ffc5744bfff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ole32.dll 0x7ffc57750000 0x7ffc57890fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7ffc578a0000 0x7ffc578f0fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7ffc57900000 0x7ffc57968fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7ffc57970000 0x7ffc57a14fff Memory Mapped File rwx False False False -
advapi32.dll 0x7ffc57aa0000 0x7ffc57b45fff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #58: net.exe
0 0
»
Information Value
ID #58
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:03:17, Reason: Child Process
Unmonitor End Time: 00:03:22, Reason: Self Terminated
Monitor Duration 00:00:05
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1960
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1964
0x 19E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000aaf6820000 0xaaf6820000 0xaaf683ffff Private Memory rw True False False -
pagefile_0x000000aaf6820000 0xaaf6820000 0xaaf682ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000aaf6840000 0xaaf6840000 0xaaf6853fff Pagefile Backed Memory r True False False -
private_0x000000aaf6860000 0xaaf6860000 0xaaf68dffff Private Memory rw True False False -
pagefile_0x000000aaf68e0000 0xaaf68e0000 0xaaf68e3fff Pagefile Backed Memory r True False False -
pagefile_0x000000aaf68f0000 0xaaf68f0000 0xaaf68f0fff Pagefile Backed Memory r True False False -
private_0x000000aaf6900000 0xaaf6900000 0xaaf6901fff Private Memory rw True False False -
private_0x000000aaf6980000 0xaaf6980000 0xaaf6a7ffff Private Memory rw True False False -
locale.nls 0xaaf6a80000 0xaaf6b3dfff Memory Mapped File r False False False -
pagefile_0x00007df5ffc60000 0x7df5ffc60000 0x7ff5ffc5ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff705c10000 0x7ff705c10000 0x7ff705d0ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff705d10000 0x7ff705d10000 0x7ff705d32fff Pagefile Backed Memory r True False False -
private_0x00007ff705d34000 0x7ff705d34000 0x7ff705d34fff Private Memory rw True False False -
private_0x00007ff705d3e000 0x7ff705d3e000 0x7ff705d3ffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #60: net1.exe
20 0
»
Information Value
ID #60
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:03:18, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Self Terminated
Monitor Duration 00:00:05
OS Process Information
»
Information Value
PID 0x1a54
Parent PID 0x1960 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1A58
0x 1BBC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000c5431d0000 0xc5431d0000 0xc5431effff Private Memory rw True False False -
pagefile_0x000000c5431d0000 0xc5431d0000 0xc5431dffff Pagefile Backed Memory rw True False False -
private_0x000000c5431e0000 0xc5431e0000 0xc5431e6fff Private Memory rw True False False -
pagefile_0x000000c5431f0000 0xc5431f0000 0xc543203fff Pagefile Backed Memory r True False False -
private_0x000000c543210000 0xc543210000 0xc54328ffff Private Memory rw True False False -
pagefile_0x000000c543290000 0xc543290000 0xc543293fff Pagefile Backed Memory r True False False -
pagefile_0x000000c5432a0000 0xc5432a0000 0xc5432a0fff Pagefile Backed Memory r True False False -
private_0x000000c5432b0000 0xc5432b0000 0xc5432b1fff Private Memory rw True False False -
locale.nls 0xc5432c0000 0xc54337dfff Memory Mapped File r False False False -
private_0x000000c543380000 0xc543380000 0xc543386fff Private Memory rw True False False -
netmsg.dll 0xc543390000 0xc543392fff Memory Mapped File rwx False False False -
private_0x000000c5433c0000 0xc5433c0000 0xc5434bffff Private Memory rw True False False -
private_0x000000c5434c0000 0xc5434c0000 0xc54353ffff Private Memory rw True False False -
netmsg.dll.mui 0xc543540000 0xc543571fff Memory Mapped File r False False False -
private_0x000000c543630000 0xc543630000 0xc54363ffff Private Memory rw True False False -
pagefile_0x00007df5ff650000 0x7df5ff650000 0x7ff5ff64ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7198a0000 0x7ff7198a0000 0x7ff71999ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7199a0000 0x7ff7199a0000 0x7ff7199c2fff Pagefile Backed Memory r True False False -
private_0x00007ff7199ca000 0x7ff7199ca000 0x7ff7199cbfff Private Memory rw True False False -
private_0x00007ff7199cc000 0x7ff7199cc000 0x7ff7199cdfff Private Memory rw True False False -
private_0x00007ff7199ce000 0x7ff7199ce000 0x7ff7199cefff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505c0000 0x7ffc505d3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0xc543390000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #61: net.exe
0 0
»
Information Value
ID #61
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:03:19, Reason: Child Process
Unmonitor End Time: 00:03:22, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1bc0
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1BC4
0x 1D78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000005bf2f80000 0x5bf2f80000 0x5bf2f9ffff Private Memory rw True False False -
pagefile_0x0000005bf2f80000 0x5bf2f80000 0x5bf2f8ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000005bf2fa0000 0x5bf2fa0000 0x5bf2fb3fff Pagefile Backed Memory r True False False -
private_0x0000005bf2fc0000 0x5bf2fc0000 0x5bf303ffff Private Memory rw True False False -
pagefile_0x0000005bf3040000 0x5bf3040000 0x5bf3043fff Pagefile Backed Memory r True False False -
pagefile_0x0000005bf3050000 0x5bf3050000 0x5bf3050fff Pagefile Backed Memory r True False False -
private_0x0000005bf3060000 0x5bf3060000 0x5bf3061fff Private Memory rw True False False -
locale.nls 0x5bf3070000 0x5bf312dfff Memory Mapped File r False False False -
private_0x0000005bf3180000 0x5bf3180000 0x5bf327ffff Private Memory rw True False False -
pagefile_0x00007df5ff6a0000 0x7df5ff6a0000 0x7ff5ff69ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff705ed0000 0x7ff705ed0000 0x7ff705fcffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff705fd0000 0x7ff705fd0000 0x7ff705ff2fff Pagefile Backed Memory r True False False -
private_0x00007ff705ffc000 0x7ff705ffc000 0x7ff705ffcfff Private Memory rw True False False -
private_0x00007ff705ffe000 0x7ff705ffe000 0x7ff705ffffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #63: net1.exe
20 0
»
Information Value
ID #63
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:03:22, Reason: Child Process
Unmonitor End Time: 00:03:22, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x1d7c
Parent PID 0x1bc0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1D80
0x 1D84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000015e5500000 0x15e5500000 0x15e551ffff Private Memory rw True False False -
pagefile_0x00000015e5500000 0x15e5500000 0x15e550ffff Pagefile Backed Memory rw True False False -
private_0x00000015e5510000 0x15e5510000 0x15e5516fff Private Memory rw True False False -
pagefile_0x00000015e5520000 0x15e5520000 0x15e5533fff Pagefile Backed Memory r True False False -
private_0x00000015e5540000 0x15e5540000 0x15e55bffff Private Memory rw True False False -
pagefile_0x00000015e55c0000 0x15e55c0000 0x15e55c3fff Pagefile Backed Memory r True False False -
pagefile_0x00000015e55d0000 0x15e55d0000 0x15e55d0fff Pagefile Backed Memory r True False False -
private_0x00000015e55e0000 0x15e55e0000 0x15e55e1fff Private Memory rw True False False -
private_0x00000015e55f0000 0x15e55f0000 0x15e56effff Private Memory rw True False False -
locale.nls 0x15e56f0000 0x15e57adfff Memory Mapped File r False False False -
private_0x00000015e57b0000 0x15e57b0000 0x15e582ffff Private Memory rw True False False -
private_0x00000015e5830000 0x15e5830000 0x15e5836fff Private Memory rw True False False -
netmsg.dll 0x15e5840000 0x15e5842fff Memory Mapped File rwx False False False -
netmsg.dll.mui 0x15e5850000 0x15e5881fff Memory Mapped File r False False False -
private_0x00000015e5890000 0x15e5890000 0x15e589ffff Private Memory rw True False False -
pagefile_0x00007df5ff1c0000 0x7df5ff1c0000 0x7ff5ff1bffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff71a240000 0x7ff71a240000 0x7ff71a33ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff71a340000 0x7ff71a340000 0x7ff71a362fff Pagefile Backed Memory r True False False -
private_0x00007ff71a364000 0x7ff71a364000 0x7ff71a364fff Private Memory rw True False False -
private_0x00007ff71a36c000 0x7ff71a36c000 0x7ff71a36dfff Private Memory rw True False False -
private_0x00007ff71a36e000 0x7ff71a36e000 0x7ff71a36ffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505c0000 0x7ffc505d3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x15e5840000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #64: net.exe
0 0
»
Information Value
ID #64
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:03:27, Reason: Child Process
Unmonitor End Time: 00:03:29, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1e74
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1E78
0x 1E90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000003b6d8b0000 0x3b6d8b0000 0x3b6d8cffff Private Memory rw True False False -
pagefile_0x0000003b6d8b0000 0x3b6d8b0000 0x3b6d8bffff Pagefile Backed Memory rw True False False -
pagefile_0x0000003b6d8d0000 0x3b6d8d0000 0x3b6d8e3fff Pagefile Backed Memory r True False False -
private_0x0000003b6d8f0000 0x3b6d8f0000 0x3b6d96ffff Private Memory rw True False False -
pagefile_0x0000003b6d970000 0x3b6d970000 0x3b6d973fff Pagefile Backed Memory r True False False -
pagefile_0x0000003b6d980000 0x3b6d980000 0x3b6d980fff Pagefile Backed Memory r True False False -
private_0x0000003b6d990000 0x3b6d990000 0x3b6d991fff Private Memory rw True False False -
locale.nls 0x3b6d9a0000 0x3b6da5dfff Memory Mapped File r False False False -
private_0x0000003b6da70000 0x3b6da70000 0x3b6db6ffff Private Memory rw True False False -
pagefile_0x00007df5ff4e0000 0x7df5ff4e0000 0x7ff5ff4dffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7064b0000 0x7ff7064b0000 0x7ff7065affff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7065b0000 0x7ff7065b0000 0x7ff7065d2fff Pagefile Backed Memory r True False False -
private_0x00007ff7065dc000 0x7ff7065dc000 0x7ff7065ddfff Private Memory rw True False False -
private_0x00007ff7065de000 0x7ff7065de000 0x7ff7065defff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #66: net1.exe
20 0
»
Information Value
ID #66
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:03:28, Reason: Child Process
Unmonitor End Time: 00:03:29, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1e98
Parent PID 0x1e74 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1E9C
0x 1EA0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000e205960000 0xe205960000 0xe20597ffff Private Memory rw True False False -
pagefile_0x000000e205960000 0xe205960000 0xe20596ffff Pagefile Backed Memory rw True False False -
private_0x000000e205970000 0xe205970000 0xe205976fff Private Memory rw True False False -
pagefile_0x000000e205980000 0xe205980000 0xe205993fff Pagefile Backed Memory r True False False -
private_0x000000e2059a0000 0xe2059a0000 0xe205a1ffff Private Memory rw True False False -
pagefile_0x000000e205a20000 0xe205a20000 0xe205a23fff Pagefile Backed Memory r True False False -
pagefile_0x000000e205a30000 0xe205a30000 0xe205a30fff Pagefile Backed Memory r True False False -
private_0x000000e205a40000 0xe205a40000 0xe205a41fff Private Memory rw True False False -
private_0x000000e205a50000 0xe205a50000 0xe205a56fff Private Memory rw True False False -
netmsg.dll 0xe205a60000 0xe205a62fff Memory Mapped File rwx False False False -
private_0x000000e205a70000 0xe205a70000 0xe205b6ffff Private Memory rw True False False -
locale.nls 0xe205b70000 0xe205c2dfff Memory Mapped File r False False False -
private_0x000000e205c30000 0xe205c30000 0xe205caffff Private Memory rw True False False -
netmsg.dll.mui 0xe205cb0000 0xe205ce1fff Memory Mapped File r False False False -
private_0x000000e205e50000 0xe205e50000 0xe205e5ffff Private Memory rw True False False -
pagefile_0x00007df5ff480000 0x7df5ff480000 0x7ff5ff47ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff719740000 0x7ff719740000 0x7ff71983ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff719840000 0x7ff719840000 0x7ff719862fff Pagefile Backed Memory r True False False -
private_0x00007ff71986b000 0x7ff71986b000 0x7ff71986cfff Private Memory rw True False False -
private_0x00007ff71986d000 0x7ff71986d000 0x7ff71986efff Private Memory rw True False False -
private_0x00007ff71986f000 0x7ff71986f000 0x7ff71986ffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505c0000 0x7ffc505d3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0xe205a60000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #67: net.exe
0 0
»
Information Value
ID #67
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:03:30, Reason: Child Process
Unmonitor End Time: 00:03:31, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1fb4
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1FB8
0x 1BC0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000001dad50000 0x1dad50000 0x1dad6ffff Private Memory rw True False False -
pagefile_0x00000001dad50000 0x1dad50000 0x1dad5ffff Pagefile Backed Memory rw True False False -
pagefile_0x00000001dad70000 0x1dad70000 0x1dad83fff Pagefile Backed Memory r True False False -
private_0x00000001dad90000 0x1dad90000 0x1dae0ffff Private Memory rw True False False -
pagefile_0x00000001dae10000 0x1dae10000 0x1dae13fff Pagefile Backed Memory r True False False -
pagefile_0x00000001dae20000 0x1dae20000 0x1dae20fff Pagefile Backed Memory r True False False -
private_0x00000001dae30000 0x1dae30000 0x1dae31fff Private Memory rw True False False -
locale.nls 0x1dae40000 0x1daefdfff Memory Mapped File r False False False -
private_0x00000001dafa0000 0x1dafa0000 0x1db09ffff Private Memory rw True False False -
pagefile_0x00007df5ff840000 0x7df5ff840000 0x7ff5ff83ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff706440000 0x7ff706440000 0x7ff70653ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff706540000 0x7ff706540000 0x7ff706562fff Pagefile Backed Memory r True False False -
private_0x00007ff706569000 0x7ff706569000 0x7ff706569fff Private Memory rw True False False -
private_0x00007ff70656e000 0x7ff70656e000 0x7ff70656ffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #69: net1.exe
20 0
»
Information Value
ID #69
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:03:31, Reason: Child Process
Unmonitor End Time: 00:03:31, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x1cfc
Parent PID 0x1fb4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1968
0x 1510
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000c5458e0000 0xc5458e0000 0xc5458fffff Private Memory rw True False False -
pagefile_0x000000c5458e0000 0xc5458e0000 0xc5458effff Pagefile Backed Memory rw True False False -
private_0x000000c5458f0000 0xc5458f0000 0xc5458f6fff Private Memory rw True False False -
pagefile_0x000000c545900000 0xc545900000 0xc545913fff Pagefile Backed Memory r True False False -
private_0x000000c545920000 0xc545920000 0xc54599ffff Private Memory rw True False False -
pagefile_0x000000c5459a0000 0xc5459a0000 0xc5459a3fff Pagefile Backed Memory r True False False -
pagefile_0x000000c5459b0000 0xc5459b0000 0xc5459b0fff Pagefile Backed Memory r True False False -
private_0x000000c5459c0000 0xc5459c0000 0xc5459c1fff Private Memory rw True False False -
locale.nls 0xc5459d0000 0xc545a8dfff Memory Mapped File r False False False -
private_0x000000c545a90000 0xc545a90000 0xc545a96fff Private Memory rw True False False -
netmsg.dll 0xc545aa0000 0xc545aa2fff Memory Mapped File rwx False False False -
private_0x000000c545ae0000 0xc545ae0000 0xc545bdffff Private Memory rw True False False -
private_0x000000c545be0000 0xc545be0000 0xc545c5ffff Private Memory rw True False False -
netmsg.dll.mui 0xc545c60000 0xc545c91fff Memory Mapped File r False False False -
private_0x000000c545da0000 0xc545da0000 0xc545daffff Private Memory rw True False False -
pagefile_0x00007df5ff390000 0x7df5ff390000 0x7ff5ff38ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff71a0e0000 0x7ff71a0e0000 0x7ff71a1dffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff71a1e0000 0x7ff71a1e0000 0x7ff71a202fff Pagefile Backed Memory r True False False -
private_0x00007ff71a206000 0x7ff71a206000 0x7ff71a206fff Private Memory rw True False False -
private_0x00007ff71a20c000 0x7ff71a20c000 0x7ff71a20dfff Private Memory rw True False False -
private_0x00007ff71a20e000 0x7ff71a20e000 0x7ff71a20ffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505c0000 0x7ffc505d3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0xc545aa0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #70: net.exe
0 0
»
Information Value
ID #70
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:03:38, Reason: Child Process
Unmonitor End Time: 00:03:39, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x22f8
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 22FC
0x 2334
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000c75e5e0000 0xc75e5e0000 0xc75e5fffff Private Memory rw True False False -
pagefile_0x000000c75e5e0000 0xc75e5e0000 0xc75e5effff Pagefile Backed Memory rw True False False -
pagefile_0x000000c75e600000 0xc75e600000 0xc75e613fff Pagefile Backed Memory r True False False -
private_0x000000c75e620000 0xc75e620000 0xc75e69ffff Private Memory rw True False False -
pagefile_0x000000c75e6a0000 0xc75e6a0000 0xc75e6a3fff Pagefile Backed Memory r True False False -
pagefile_0x000000c75e6b0000 0xc75e6b0000 0xc75e6b0fff Pagefile Backed Memory r True False False -
private_0x000000c75e6c0000 0xc75e6c0000 0xc75e6c1fff Private Memory rw True False False -
locale.nls 0xc75e6d0000 0xc75e78dfff Memory Mapped File r False False False -
private_0x000000c75e7c0000 0xc75e7c0000 0xc75e8bffff Private Memory rw True False False -
pagefile_0x00007df5ff7b0000 0x7df5ff7b0000 0x7ff5ff7affff Pagefile Backed Memory - True False False -
pagefile_0x00007ff705f20000 0x7ff705f20000 0x7ff70601ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff706020000 0x7ff706020000 0x7ff706042fff Pagefile Backed Memory r True False False -
private_0x00007ff706048000 0x7ff706048000 0x7ff706048fff Private Memory rw True False False -
private_0x00007ff70604e000 0x7ff70604e000 0x7ff70604ffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #72: net1.exe
20 0
»
Information Value
ID #72
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:03:39, Reason: Child Process
Unmonitor End Time: 00:03:39, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x2404
Parent PID 0x22f8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 2408
0x 240C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000007b04890000 0x7b04890000 0x7b048affff Private Memory rw True False False -
pagefile_0x0000007b04890000 0x7b04890000 0x7b0489ffff Pagefile Backed Memory rw True False False -
private_0x0000007b048a0000 0x7b048a0000 0x7b048a6fff Private Memory rw True False False -
pagefile_0x0000007b048b0000 0x7b048b0000 0x7b048c3fff Pagefile Backed Memory r True False False -
private_0x0000007b048d0000 0x7b048d0000 0x7b0494ffff Private Memory rw True False False -
pagefile_0x0000007b04950000 0x7b04950000 0x7b04953fff Pagefile Backed Memory r True False False -
pagefile_0x0000007b04960000 0x7b04960000 0x7b04960fff Pagefile Backed Memory r True False False -
private_0x0000007b04970000 0x7b04970000 0x7b04971fff Private Memory rw True False False -
private_0x0000007b04980000 0x7b04980000 0x7b04986fff Private Memory rw True False False -
private_0x0000007b04990000 0x7b04990000 0x7b04a8ffff Private Memory rw True False False -
locale.nls 0x7b04a90000 0x7b04b4dfff Memory Mapped File r False False False -
private_0x0000007b04b50000 0x7b04b50000 0x7b04bcffff Private Memory rw True False False -
netmsg.dll 0x7b04bd0000 0x7b04bd2fff Memory Mapped File rwx False False False -
netmsg.dll.mui 0x7b04be0000 0x7b04c11fff Memory Mapped File r False False False -
private_0x0000007b04d60000 0x7b04d60000 0x7b04d6ffff Private Memory rw True False False -
pagefile_0x00007df5ff3e0000 0x7df5ff3e0000 0x7ff5ff3dffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff71a280000 0x7ff71a280000 0x7ff71a37ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff71a380000 0x7ff71a380000 0x7ff71a3a2fff Pagefile Backed Memory r True False False -
private_0x00007ff71a3a4000 0x7ff71a3a4000 0x7ff71a3a4fff Private Memory rw True False False -
private_0x00007ff71a3ac000 0x7ff71a3ac000 0x7ff71a3adfff Private Memory rw True False False -
private_0x00007ff71a3ae000 0x7ff71a3ae000 0x7ff71a3affff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505c0000 0x7ffc505d3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x7b04bd0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #73: net.exe
0 0
»
Information Value
ID #73
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:03:43, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x2418
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 241C
0x 2434
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000074de0f0000 0x74de0f0000 0x74de10ffff Private Memory rw True False False -
pagefile_0x00000074de0f0000 0x74de0f0000 0x74de0fffff Pagefile Backed Memory rw True False False -
pagefile_0x00000074de110000 0x74de110000 0x74de123fff Pagefile Backed Memory r True False False -
private_0x00000074de130000 0x74de130000 0x74de1affff Private Memory rw True False False -
pagefile_0x00000074de1b0000 0x74de1b0000 0x74de1b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000074de1c0000 0x74de1c0000 0x74de1c0fff Pagefile Backed Memory r True False False -
private_0x00000074de1d0000 0x74de1d0000 0x74de1d1fff Private Memory rw True False False -
locale.nls 0x74de1e0000 0x74de29dfff Memory Mapped File r False False False -
private_0x00000074de390000 0x74de390000 0x74de48ffff Private Memory rw True False False -
pagefile_0x00007df5ff070000 0x7df5ff070000 0x7ff5ff06ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff705750000 0x7ff705750000 0x7ff70584ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff705850000 0x7ff705850000 0x7ff705872fff Pagefile Backed Memory r True False False -
private_0x00007ff705879000 0x7ff705879000 0x7ff705879fff Private Memory rw True False False -
private_0x00007ff70587e000 0x7ff70587e000 0x7ff70587ffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #75: net1.exe
20 0
»
Information Value
ID #75
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:03:41, Reason: Child Process
Unmonitor End Time: 00:03:43, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x2438
Parent PID 0x2418 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 243C
0x 2440
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000044bb4f0000 0x44bb4f0000 0x44bb50ffff Private Memory rw True False False -
pagefile_0x00000044bb4f0000 0x44bb4f0000 0x44bb4fffff Pagefile Backed Memory rw True False False -
private_0x00000044bb500000 0x44bb500000 0x44bb506fff Private Memory rw True False False -
pagefile_0x00000044bb510000 0x44bb510000 0x44bb523fff Pagefile Backed Memory r True False False -
private_0x00000044bb530000 0x44bb530000 0x44bb5affff Private Memory rw True False False -
pagefile_0x00000044bb5b0000 0x44bb5b0000 0x44bb5b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000044bb5c0000 0x44bb5c0000 0x44bb5c0fff Pagefile Backed Memory r True False False -
private_0x00000044bb5d0000 0x44bb5d0000 0x44bb5d1fff Private Memory rw True False False -
private_0x00000044bb5e0000 0x44bb5e0000 0x44bb5e6fff Private Memory rw True False False -
netmsg.dll 0x44bb5f0000 0x44bb5f2fff Memory Mapped File rwx False False False -
private_0x00000044bb630000 0x44bb630000 0x44bb72ffff Private Memory rw True False False -
locale.nls 0x44bb730000 0x44bb7edfff Memory Mapped File r False False False -
private_0x00000044bb7f0000 0x44bb7f0000 0x44bb86ffff Private Memory rw True False False -
netmsg.dll.mui 0x44bb870000 0x44bb8a1fff Memory Mapped File r False False False -
private_0x00000044bb930000 0x44bb930000 0x44bb93ffff Private Memory rw True False False -
pagefile_0x00007df5ff5c0000 0x7df5ff5c0000 0x7ff5ff5bffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff719f80000 0x7ff719f80000 0x7ff71a07ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff71a080000 0x7ff71a080000 0x7ff71a0a2fff Pagefile Backed Memory r True False False -
private_0x00007ff71a0ab000 0x7ff71a0ab000 0x7ff71a0abfff Private Memory rw True False False -
private_0x00007ff71a0ac000 0x7ff71a0ac000 0x7ff71a0adfff Private Memory rw True False False -
private_0x00007ff71a0ae000 0x7ff71a0ae000 0x7ff71a0affff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505c0000 0x7ffc505d3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x44bb5f0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #76: net.exe
0 0
»
Information Value
ID #76
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:03:49, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x288c
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 2890
0x 2A14
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000001b23b40000 0x1b23b40000 0x1b23b5ffff Private Memory rw True False False -
pagefile_0x0000001b23b40000 0x1b23b40000 0x1b23b4ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000001b23b60000 0x1b23b60000 0x1b23b73fff Pagefile Backed Memory r True False False -
private_0x0000001b23b80000 0x1b23b80000 0x1b23bfffff Private Memory rw True False False -
pagefile_0x0000001b23c00000 0x1b23c00000 0x1b23c03fff Pagefile Backed Memory r True False False -
pagefile_0x0000001b23c10000 0x1b23c10000 0x1b23c10fff Pagefile Backed Memory r True False False -
private_0x0000001b23c20000 0x1b23c20000 0x1b23c21fff Private Memory rw True False False -
private_0x0000001b23c80000 0x1b23c80000 0x1b23d7ffff Private Memory rw True False False -
locale.nls 0x1b23d80000 0x1b23e3dfff Memory Mapped File r False False False -
pagefile_0x00007df5ffd40000 0x7df5ffd40000 0x7ff5ffd3ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff706440000 0x7ff706440000 0x7ff70653ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff706540000 0x7ff706540000 0x7ff706562fff Pagefile Backed Memory r True False False -
private_0x00007ff706563000 0x7ff706563000 0x7ff706563fff Private Memory rw True False False -
private_0x00007ff70656e000 0x7ff70656e000 0x7ff70656ffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #78: net1.exe
20 0
»
Information Value
ID #78
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x2a74
Parent PID 0x288c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 2A78
0x 2B30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000001c05df0000 0x1c05df0000 0x1c05e0ffff Private Memory rw True False False -
pagefile_0x0000001c05df0000 0x1c05df0000 0x1c05dfffff Pagefile Backed Memory rw True False False -
private_0x0000001c05e00000 0x1c05e00000 0x1c05e06fff Private Memory rw True False False -
pagefile_0x0000001c05e10000 0x1c05e10000 0x1c05e23fff Pagefile Backed Memory r True False False -
private_0x0000001c05e30000 0x1c05e30000 0x1c05eaffff Private Memory rw True False False -
pagefile_0x0000001c05eb0000 0x1c05eb0000 0x1c05eb3fff Pagefile Backed Memory r True False False -
pagefile_0x0000001c05ec0000 0x1c05ec0000 0x1c05ec0fff Pagefile Backed Memory r True False False -
private_0x0000001c05ed0000 0x1c05ed0000 0x1c05ed1fff Private Memory rw True False False -
locale.nls 0x1c05ee0000 0x1c05f9dfff Memory Mapped File r False False False -
private_0x0000001c05fa0000 0x1c05fa0000 0x1c0601ffff Private Memory rw True False False -
private_0x0000001c06020000 0x1c06020000 0x1c06026fff Private Memory rw True False False -
netmsg.dll 0x1c06030000 0x1c06032fff Memory Mapped File rwx False False False -
private_0x0000001c06050000 0x1c06050000 0x1c0614ffff Private Memory rw True False False -
netmsg.dll.mui 0x1c06150000 0x1c06181fff Memory Mapped File r False False False -
private_0x0000001c062e0000 0x1c062e0000 0x1c062effff Private Memory rw True False False -
pagefile_0x00007df5ff750000 0x7df5ff750000 0x7ff5ff74ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff71a2a0000 0x7ff71a2a0000 0x7ff71a39ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff71a3a0000 0x7ff71a3a0000 0x7ff71a3c2fff Pagefile Backed Memory r True False False -
private_0x00007ff71a3c7000 0x7ff71a3c7000 0x7ff71a3c7fff Private Memory rw True False False -
private_0x00007ff71a3cc000 0x7ff71a3cc000 0x7ff71a3cdfff Private Memory rw True False False -
private_0x00007ff71a3ce000 0x7ff71a3ce000 0x7ff71a3cffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505b0000 0x7ffc505c3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x1c06030000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #79: net.exe
0 0
»
Information Value
ID #79
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x2ae0
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 2AE4
0x 2B44
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000aeef1b0000 0xaeef1b0000 0xaeef1cffff Private Memory rw True False False -
pagefile_0x000000aeef1b0000 0xaeef1b0000 0xaeef1bffff Pagefile Backed Memory rw True False False -
pagefile_0x000000aeef1d0000 0xaeef1d0000 0xaeef1e3fff Pagefile Backed Memory r True False False -
private_0x000000aeef1f0000 0xaeef1f0000 0xaeef26ffff Private Memory rw True False False -
pagefile_0x000000aeef270000 0xaeef270000 0xaeef273fff Pagefile Backed Memory r True False False -
pagefile_0x000000aeef280000 0xaeef280000 0xaeef280fff Pagefile Backed Memory r True False False -
private_0x000000aeef290000 0xaeef290000 0xaeef291fff Private Memory rw True False False -
private_0x000000aeef2b0000 0xaeef2b0000 0xaeef3affff Private Memory rw True False False -
locale.nls 0xaeef3b0000 0xaeef46dfff Memory Mapped File r False False False -
pagefile_0x00007df5ffd90000 0x7df5ffd90000 0x7ff5ffd8ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff705d20000 0x7ff705d20000 0x7ff705e1ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff705e20000 0x7ff705e20000 0x7ff705e42fff Pagefile Backed Memory r True False False -
private_0x00007ff705e47000 0x7ff705e47000 0x7ff705e47fff Private Memory rw True False False -
private_0x00007ff705e4e000 0x7ff705e4e000 0x7ff705e4ffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #81: net1.exe
20 0
»
Information Value
ID #81
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:03:52, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x2b48
Parent PID 0x2ae0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 2B4C
0x 2B50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000004067c70000 0x4067c70000 0x4067c8ffff Private Memory rw True False False -
pagefile_0x0000004067c70000 0x4067c70000 0x4067c7ffff Pagefile Backed Memory rw True False False -
private_0x0000004067c80000 0x4067c80000 0x4067c86fff Private Memory rw True False False -
pagefile_0x0000004067c90000 0x4067c90000 0x4067ca3fff Pagefile Backed Memory r True False False -
private_0x0000004067cb0000 0x4067cb0000 0x4067d2ffff Private Memory rw True False False -
pagefile_0x0000004067d30000 0x4067d30000 0x4067d33fff Pagefile Backed Memory r True False False -
pagefile_0x0000004067d40000 0x4067d40000 0x4067d40fff Pagefile Backed Memory r True False False -
private_0x0000004067d50000 0x4067d50000 0x4067d51fff Private Memory rw True False False -
private_0x0000004067d60000 0x4067d60000 0x4067d66fff Private Memory rw True False False -
netmsg.dll 0x4067d70000 0x4067d72fff Memory Mapped File rwx False False False -
netmsg.dll.mui 0x4067d80000 0x4067db1fff Memory Mapped File r False False False -
private_0x0000004067dd0000 0x4067dd0000 0x4067ecffff Private Memory rw True False False -
locale.nls 0x4067ed0000 0x4067f8dfff Memory Mapped File r False False False -
private_0x0000004067f90000 0x4067f90000 0x406800ffff Private Memory rw True False False -
private_0x0000004068130000 0x4068130000 0x406813ffff Private Memory rw True False False -
pagefile_0x00007df5ff8f0000 0x7df5ff8f0000 0x7ff5ff8effff Pagefile Backed Memory - True False False -
pagefile_0x00007ff719f10000 0x7ff719f10000 0x7ff71a00ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff71a010000 0x7ff71a010000 0x7ff71a032fff Pagefile Backed Memory r True False False -
private_0x00007ff71a03a000 0x7ff71a03a000 0x7ff71a03afff Private Memory rw True False False -
private_0x00007ff71a03c000 0x7ff71a03c000 0x7ff71a03dfff Private Memory rw True False False -
private_0x00007ff71a03e000 0x7ff71a03e000 0x7ff71a03ffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505b0000 0x7ffc505c3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x4067d70000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #82: net.exe
0 0
»
Information Value
ID #82
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:00, Reason: Child Process
Unmonitor End Time: 00:04:05, Reason: Self Terminated
Monitor Duration 00:00:05
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x3198
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 319C
0x 32CC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000095097a0000 0x95097a0000 0x95097bffff Private Memory rw True False False -
pagefile_0x00000095097a0000 0x95097a0000 0x95097affff Pagefile Backed Memory rw True False False -
pagefile_0x00000095097c0000 0x95097c0000 0x95097d3fff Pagefile Backed Memory r True False False -
private_0x00000095097e0000 0x95097e0000 0x950985ffff Private Memory rw True False False -
pagefile_0x0000009509860000 0x9509860000 0x9509863fff Pagefile Backed Memory r True False False -
pagefile_0x0000009509870000 0x9509870000 0x9509870fff Pagefile Backed Memory r True False False -
private_0x0000009509880000 0x9509880000 0x9509881fff Private Memory rw True False False -
locale.nls 0x9509890000 0x950994dfff Memory Mapped File r False False False -
private_0x0000009509a60000 0x9509a60000 0x9509b5ffff Private Memory rw True False False -
pagefile_0x00007df5ff040000 0x7df5ff040000 0x7ff5ff03ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7063b0000 0x7ff7063b0000 0x7ff7064affff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7064b0000 0x7ff7064b0000 0x7ff7064d2fff Pagefile Backed Memory r True False False -
private_0x00007ff7064d9000 0x7ff7064d9000 0x7ff7064d9fff Private Memory rw True False False -
private_0x00007ff7064de000 0x7ff7064de000 0x7ff7064dffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #84: net1.exe
20 0
»
Information Value
ID #84
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:01, Reason: Child Process
Unmonitor End Time: 00:04:04, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0x3320
Parent PID 0x3198 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 3324
0x 33E4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000ed21610000 0xed21610000 0xed2162ffff Private Memory rw True False False -
pagefile_0x000000ed21610000 0xed21610000 0xed2161ffff Pagefile Backed Memory rw True False False -
private_0x000000ed21620000 0xed21620000 0xed21626fff Private Memory rw True False False -
pagefile_0x000000ed21630000 0xed21630000 0xed21643fff Pagefile Backed Memory r True False False -
private_0x000000ed21650000 0xed21650000 0xed216cffff Private Memory rw True False False -
pagefile_0x000000ed216d0000 0xed216d0000 0xed216d3fff Pagefile Backed Memory r True False False -
pagefile_0x000000ed216e0000 0xed216e0000 0xed216e0fff Pagefile Backed Memory r True False False -
private_0x000000ed216f0000 0xed216f0000 0xed216f1fff Private Memory rw True False False -
locale.nls 0xed21700000 0xed217bdfff Memory Mapped File r False False False -
private_0x000000ed217c0000 0xed217c0000 0xed2183ffff Private Memory rw True False False -
private_0x000000ed21840000 0xed21840000 0xed21846fff Private Memory rw True False False -
private_0x000000ed21850000 0xed21850000 0xed2185ffff Private Memory rw True False False -
netmsg.dll 0xed21860000 0xed21862fff Memory Mapped File rwx False False False -
private_0x000000ed21890000 0xed21890000 0xed2198ffff Private Memory rw True False False -
netmsg.dll.mui 0xed21990000 0xed219c1fff Memory Mapped File r False False False -
pagefile_0x00007df5ff0d0000 0x7df5ff0d0000 0x7ff5ff0cffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7197d0000 0x7ff7197d0000 0x7ff7198cffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7198d0000 0x7ff7198d0000 0x7ff7198f2fff Pagefile Backed Memory r True False False -
private_0x00007ff7198fb000 0x7ff7198fb000 0x7ff7198fcfff Private Memory rw True False False -
private_0x00007ff7198fd000 0x7ff7198fd000 0x7ff7198fefff Private Memory rw True False False -
private_0x00007ff7198ff000 0x7ff7198ff000 0x7ff7198fffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505b0000 0x7ffc505c3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0xed21860000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #85: net.exe
0 0
»
Information Value
ID #85
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:01, Reason: Child Process
Unmonitor End Time: 00:04:08, Reason: Self Terminated
Monitor Duration 00:00:07
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x338c
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 3390
0x 36E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000007cabd90000 0x7cabd90000 0x7cabdaffff Private Memory rw True False False -
pagefile_0x0000007cabd90000 0x7cabd90000 0x7cabd9ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000007cabdb0000 0x7cabdb0000 0x7cabdc3fff Pagefile Backed Memory r True False False -
private_0x0000007cabdd0000 0x7cabdd0000 0x7cabe4ffff Private Memory rw True False False -
pagefile_0x0000007cabe50000 0x7cabe50000 0x7cabe53fff Pagefile Backed Memory r True False False -
pagefile_0x0000007cabe60000 0x7cabe60000 0x7cabe60fff Pagefile Backed Memory r True False False -
private_0x0000007cabe70000 0x7cabe70000 0x7cabe71fff Private Memory rw True False False -
private_0x0000007cabee0000 0x7cabee0000 0x7cabfdffff Private Memory rw True False False -
locale.nls 0x7cabfe0000 0x7cac09dfff Memory Mapped File r False False False -
pagefile_0x00007df5ff3d0000 0x7df5ff3d0000 0x7ff5ff3cffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff705920000 0x7ff705920000 0x7ff705a1ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff705a20000 0x7ff705a20000 0x7ff705a42fff Pagefile Backed Memory r True False False -
private_0x00007ff705a44000 0x7ff705a44000 0x7ff705a44fff Private Memory rw True False False -
private_0x00007ff705a4e000 0x7ff705a4e000 0x7ff705a4ffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #87: net1.exe
20 0
»
Information Value
ID #87
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:03, Reason: Child Process
Unmonitor End Time: 00:04:07, Reason: Self Terminated
Monitor Duration 00:00:04
OS Process Information
»
Information Value
PID 0x373c
Parent PID 0x338c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 3740
0x DAC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000b9c8000000 0xb9c8000000 0xb9c801ffff Private Memory rw True False False -
pagefile_0x000000b9c8000000 0xb9c8000000 0xb9c800ffff Pagefile Backed Memory rw True False False -
private_0x000000b9c8010000 0xb9c8010000 0xb9c8016fff Private Memory rw True False False -
pagefile_0x000000b9c8020000 0xb9c8020000 0xb9c8033fff Pagefile Backed Memory r True False False -
private_0x000000b9c8040000 0xb9c8040000 0xb9c80bffff Private Memory rw True False False -
pagefile_0x000000b9c80c0000 0xb9c80c0000 0xb9c80c3fff Pagefile Backed Memory r True False False -
pagefile_0x000000b9c80d0000 0xb9c80d0000 0xb9c80d0fff Pagefile Backed Memory r True False False -
private_0x000000b9c80e0000 0xb9c80e0000 0xb9c80e1fff Private Memory rw True False False -
locale.nls 0xb9c80f0000 0xb9c81adfff Memory Mapped File r False False False -
private_0x000000b9c81b0000 0xb9c81b0000 0xb9c822ffff Private Memory rw True False False -
private_0x000000b9c8230000 0xb9c8230000 0xb9c832ffff Private Memory rw True False False -
private_0x000000b9c8330000 0xb9c8330000 0xb9c8336fff Private Memory rw True False False -
netmsg.dll 0xb9c8340000 0xb9c8342fff Memory Mapped File rwx False False False -
netmsg.dll.mui 0xb9c8350000 0xb9c8381fff Memory Mapped File r False False False -
private_0x000000b9c8420000 0xb9c8420000 0xb9c842ffff Private Memory rw True False False -
pagefile_0x00007df5ff360000 0x7df5ff360000 0x7ff5ff35ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff719560000 0x7ff719560000 0x7ff71965ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff719660000 0x7ff719660000 0x7ff719682fff Pagefile Backed Memory r True False False -
private_0x00007ff71968b000 0x7ff71968b000 0x7ff71968cfff Private Memory rw True False False -
private_0x00007ff71968d000 0x7ff71968d000 0x7ff71968efff Private Memory rw True False False -
private_0x00007ff71968f000 0x7ff71968f000 0x7ff71968ffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505b0000 0x7ffc505c3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0xb9c8340000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #88: net.exe
0 0
»
Information Value
ID #88
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:11, Reason: Child Process
Unmonitor End Time: 00:04:17, Reason: Self Terminated
Monitor Duration 00:00:06
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x3ea4
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 3EA8
0x 4008
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000001313cb0000 0x1313cb0000 0x1313ccffff Private Memory rw True False False -
pagefile_0x0000001313cb0000 0x1313cb0000 0x1313cbffff Pagefile Backed Memory rw True False False -
pagefile_0x0000001313cd0000 0x1313cd0000 0x1313ce3fff Pagefile Backed Memory r True False False -
private_0x0000001313cf0000 0x1313cf0000 0x1313d6ffff Private Memory rw True False False -
pagefile_0x0000001313d70000 0x1313d70000 0x1313d73fff Pagefile Backed Memory r True False False -
pagefile_0x0000001313d80000 0x1313d80000 0x1313d80fff Pagefile Backed Memory r True False False -
private_0x0000001313d90000 0x1313d90000 0x1313d91fff Private Memory rw True False False -
private_0x0000001313e00000 0x1313e00000 0x1313efffff Private Memory rw True False False -
locale.nls 0x1313f00000 0x1313fbdfff Memory Mapped File r False False False -
pagefile_0x00007df5ffbe0000 0x7df5ffbe0000 0x7ff5ffbdffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7056b0000 0x7ff7056b0000 0x7ff7057affff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7057b0000 0x7ff7057b0000 0x7ff7057d2fff Pagefile Backed Memory r True False False -
private_0x00007ff7057da000 0x7ff7057da000 0x7ff7057dafff Private Memory rw True False False -
private_0x00007ff7057de000 0x7ff7057de000 0x7ff7057dffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #90: net.exe
0 0
»
Information Value
ID #90
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:12, Reason: Child Process
Unmonitor End Time: 00:04:18, Reason: Self Terminated
Monitor Duration 00:00:06
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x402c
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 4030
0x 42DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000005735cb0000 0x5735cb0000 0x5735ccffff Private Memory rw True False False -
pagefile_0x0000005735cb0000 0x5735cb0000 0x5735cbffff Pagefile Backed Memory rw True False False -
pagefile_0x0000005735cd0000 0x5735cd0000 0x5735ce3fff Pagefile Backed Memory r True False False -
private_0x0000005735cf0000 0x5735cf0000 0x5735d6ffff Private Memory rw True False False -
pagefile_0x0000005735d70000 0x5735d70000 0x5735d73fff Pagefile Backed Memory r True False False -
pagefile_0x0000005735d80000 0x5735d80000 0x5735d80fff Pagefile Backed Memory r True False False -
private_0x0000005735d90000 0x5735d90000 0x5735d91fff Private Memory rw True False False -
private_0x0000005735db0000 0x5735db0000 0x5735eaffff Private Memory rw True False False -
locale.nls 0x5735eb0000 0x5735f6dfff Memory Mapped File r False False False -
pagefile_0x00007df5ff970000 0x7df5ff970000 0x7ff5ff96ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff706380000 0x7ff706380000 0x7ff70647ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff706480000 0x7ff706480000 0x7ff7064a2fff Pagefile Backed Memory r True False False -
private_0x00007ff7064a7000 0x7ff7064a7000 0x7ff7064a7fff Private Memory rw True False False -
private_0x00007ff7064ae000 0x7ff7064ae000 0x7ff7064affff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #92: net1.exe
20 0
»
Information Value
ID #92
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:12, Reason: Child Process
Unmonitor End Time: 00:04:17, Reason: Self Terminated
Monitor Duration 00:00:05
OS Process Information
»
Information Value
PID 0x40a0
Parent PID 0x3ea4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 40A4
0x 41C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000009ca34d0000 0x9ca34d0000 0x9ca34effff Private Memory rw True False False -
pagefile_0x0000009ca34d0000 0x9ca34d0000 0x9ca34dffff Pagefile Backed Memory rw True False False -
private_0x0000009ca34e0000 0x9ca34e0000 0x9ca34e6fff Private Memory rw True False False -
pagefile_0x0000009ca34f0000 0x9ca34f0000 0x9ca3503fff Pagefile Backed Memory r True False False -
private_0x0000009ca3510000 0x9ca3510000 0x9ca358ffff Private Memory rw True False False -
pagefile_0x0000009ca3590000 0x9ca3590000 0x9ca3593fff Pagefile Backed Memory r True False False -
pagefile_0x0000009ca35a0000 0x9ca35a0000 0x9ca35a0fff Pagefile Backed Memory r True False False -
private_0x0000009ca35b0000 0x9ca35b0000 0x9ca35b1fff Private Memory rw True False False -
private_0x0000009ca35c0000 0x9ca35c0000 0x9ca35c6fff Private Memory rw True False False -
netmsg.dll 0x9ca35d0000 0x9ca35d2fff Memory Mapped File rwx False False False -
private_0x0000009ca3610000 0x9ca3610000 0x9ca370ffff Private Memory rw True False False -
locale.nls 0x9ca3710000 0x9ca37cdfff Memory Mapped File r False False False -
private_0x0000009ca37d0000 0x9ca37d0000 0x9ca384ffff Private Memory rw True False False -
netmsg.dll.mui 0x9ca3850000 0x9ca3881fff Memory Mapped File r False False False -
private_0x0000009ca3990000 0x9ca3990000 0x9ca399ffff Private Memory rw True False False -
pagefile_0x00007df5ff250000 0x7df5ff250000 0x7ff5ff24ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff719fd0000 0x7ff719fd0000 0x7ff71a0cffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff71a0d0000 0x7ff71a0d0000 0x7ff71a0f2fff Pagefile Backed Memory r True False False -
private_0x00007ff71a0fb000 0x7ff71a0fb000 0x7ff71a0fcfff Private Memory rw True False False -
private_0x00007ff71a0fd000 0x7ff71a0fd000 0x7ff71a0fefff Private Memory rw True False False -
private_0x00007ff71a0ff000 0x7ff71a0ff000 0x7ff71a0fffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505b0000 0x7ffc505c3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x9ca35d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #93: net1.exe
20 0
»
Information Value
ID #93
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:14, Reason: Child Process
Unmonitor End Time: 00:04:17, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0x4434
Parent PID 0x402c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 4438
0x 44F4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000e2437b0000 0xe2437b0000 0xe2437cffff Private Memory rw True False False -
pagefile_0x000000e2437b0000 0xe2437b0000 0xe2437bffff Pagefile Backed Memory rw True False False -
private_0x000000e2437c0000 0xe2437c0000 0xe2437c6fff Private Memory rw True False False -
pagefile_0x000000e2437d0000 0xe2437d0000 0xe2437e3fff Pagefile Backed Memory r True False False -
private_0x000000e2437f0000 0xe2437f0000 0xe24386ffff Private Memory rw True False False -
pagefile_0x000000e243870000 0xe243870000 0xe243873fff Pagefile Backed Memory r True False False -
pagefile_0x000000e243880000 0xe243880000 0xe243880fff Pagefile Backed Memory r True False False -
private_0x000000e243890000 0xe243890000 0xe243891fff Private Memory rw True False False -
private_0x000000e2438a0000 0xe2438a0000 0xe2438a6fff Private Memory rw True False False -
netmsg.dll 0xe2438b0000 0xe2438b2fff Memory Mapped File rwx False False False -
netmsg.dll.mui 0xe2438c0000 0xe2438f1fff Memory Mapped File r False False False -
private_0x000000e243900000 0xe243900000 0xe2439fffff Private Memory rw True False False -
locale.nls 0xe243a00000 0xe243abdfff Memory Mapped File r False False False -
private_0x000000e243ac0000 0xe243ac0000 0xe243b3ffff Private Memory rw True False False -
private_0x000000e243bc0000 0xe243bc0000 0xe243bcffff Private Memory rw True False False -
pagefile_0x00007df5ff1d0000 0x7df5ff1d0000 0x7ff5ff1cffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff71a0b0000 0x7ff71a0b0000 0x7ff71a1affff Pagefile Backed Memory r True False False -
pagefile_0x00007ff71a1b0000 0x7ff71a1b0000 0x7ff71a1d2fff Pagefile Backed Memory r True False False -
private_0x00007ff71a1d7000 0x7ff71a1d7000 0x7ff71a1d7fff Private Memory rw True False False -
private_0x00007ff71a1dc000 0x7ff71a1dc000 0x7ff71a1ddfff Private Memory rw True False False -
private_0x00007ff71a1de000 0x7ff71a1de000 0x7ff71a1dffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505b0000 0x7ffc505c3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0xe2438b0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #94: net.exe
0 0
»
Information Value
ID #94
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:22, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x50b8
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 50BC
0x 527C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000a9baa20000 0xa9baa20000 0xa9baa3ffff Private Memory rw True False False -
pagefile_0x000000a9baa20000 0xa9baa20000 0xa9baa2ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000a9baa40000 0xa9baa40000 0xa9baa53fff Pagefile Backed Memory r True False False -
private_0x000000a9baa60000 0xa9baa60000 0xa9baadffff Private Memory rw True False False -
pagefile_0x000000a9baae0000 0xa9baae0000 0xa9baae3fff Pagefile Backed Memory r True False False -
pagefile_0x000000a9baaf0000 0xa9baaf0000 0xa9baaf0fff Pagefile Backed Memory r True False False -
private_0x000000a9bab00000 0xa9bab00000 0xa9bab01fff Private Memory rw True False False -
private_0x000000a9bab80000 0xa9bab80000 0xa9bac7ffff Private Memory rw True False False -
locale.nls 0xa9bac80000 0xa9bad3dfff Memory Mapped File r False False False -
pagefile_0x00007df5ff8c0000 0x7df5ff8c0000 0x7ff5ff8bffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff705ee0000 0x7ff705ee0000 0x7ff705fdffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff705fe0000 0x7ff705fe0000 0x7ff706002fff Pagefile Backed Memory r True False False -
private_0x00007ff70600d000 0x7ff70600d000 0x7ff70600efff Private Memory rw True False False -
private_0x00007ff70600f000 0x7ff70600f000 0x7ff70600ffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #96: net.exe
0 0
»
Information Value
ID #96
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:23, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x525c
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 5260
0x 5354
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000007fbaad0000 0x7fbaad0000 0x7fbaaeffff Private Memory rw True False False -
pagefile_0x0000007fbaad0000 0x7fbaad0000 0x7fbaadffff Pagefile Backed Memory rw True False False -
pagefile_0x0000007fbaaf0000 0x7fbaaf0000 0x7fbab03fff Pagefile Backed Memory r True False False -
private_0x0000007fbab10000 0x7fbab10000 0x7fbab8ffff Private Memory rw True False False -
pagefile_0x0000007fbab90000 0x7fbab90000 0x7fbab93fff Pagefile Backed Memory r True False False -
pagefile_0x0000007fbaba0000 0x7fbaba0000 0x7fbaba0fff Pagefile Backed Memory r True False False -
private_0x0000007fbabb0000 0x7fbabb0000 0x7fbabb1fff Private Memory rw True False False -
locale.nls 0x7fbabc0000 0x7fbac7dfff Memory Mapped File r False False False -
private_0x0000007fbaca0000 0x7fbaca0000 0x7fbad9ffff Private Memory rw True False False -
pagefile_0x00007df5ffc30000 0x7df5ffc30000 0x7ff5ffc2ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff706110000 0x7ff706110000 0x7ff70620ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff706210000 0x7ff706210000 0x7ff706232fff Pagefile Backed Memory r True False False -
private_0x00007ff70623c000 0x7ff70623c000 0x7ff70623dfff Private Memory rw True False False -
private_0x00007ff70623e000 0x7ff70623e000 0x7ff70623efff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #98: net1.exe
20 0
»
Information Value
ID #98
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:24, Reason: Child Process
Unmonitor End Time: 00:04:26, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x531c
Parent PID 0x50b8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 5320
0x 5358
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000098350b0000 0x98350b0000 0x98350cffff Private Memory rw True False False -
pagefile_0x00000098350b0000 0x98350b0000 0x98350bffff Pagefile Backed Memory rw True False False -
private_0x00000098350c0000 0x98350c0000 0x98350c6fff Private Memory rw True False False -
pagefile_0x00000098350d0000 0x98350d0000 0x98350e3fff Pagefile Backed Memory r True False False -
private_0x00000098350f0000 0x98350f0000 0x983516ffff Private Memory rw True False False -
pagefile_0x0000009835170000 0x9835170000 0x9835173fff Pagefile Backed Memory r True False False -
pagefile_0x0000009835180000 0x9835180000 0x9835180fff Pagefile Backed Memory r True False False -
private_0x0000009835190000 0x9835190000 0x9835191fff Private Memory rw True False False -
locale.nls 0x98351a0000 0x983525dfff Memory Mapped File r False False False -
private_0x0000009835260000 0x9835260000 0x98352dffff Private Memory rw True False False -
private_0x00000098352e0000 0x98352e0000 0x98352e6fff Private Memory rw True False False -
private_0x00000098352f0000 0x98352f0000 0x98353effff Private Memory rw True False False -
netmsg.dll 0x98353f0000 0x98353f2fff Memory Mapped File rwx False False False -
netmsg.dll.mui 0x9835400000 0x9835431fff Memory Mapped File r False False False -
private_0x0000009835570000 0x9835570000 0x983557ffff Private Memory rw True False False -
pagefile_0x00007df5ff900000 0x7df5ff900000 0x7ff5ff8fffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff71a050000 0x7ff71a050000 0x7ff71a14ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff71a150000 0x7ff71a150000 0x7ff71a172fff Pagefile Backed Memory r True False False -
private_0x00007ff71a177000 0x7ff71a177000 0x7ff71a177fff Private Memory rw True False False -
private_0x00007ff71a17c000 0x7ff71a17c000 0x7ff71a17dfff Private Memory rw True False False -
private_0x00007ff71a17e000 0x7ff71a17e000 0x7ff71a17ffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505b0000 0x7ffc505c3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x98353f0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #99: net1.exe
20 0
»
Information Value
ID #99
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:24, Reason: Child Process
Unmonitor End Time: 00:04:25, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x53cc
Parent PID 0x525c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 53D0
0x 53D4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000006149a90000 0x6149a90000 0x6149aaffff Private Memory rw True False False -
pagefile_0x0000006149a90000 0x6149a90000 0x6149a9ffff Pagefile Backed Memory rw True False False -
private_0x0000006149aa0000 0x6149aa0000 0x6149aa6fff Private Memory rw True False False -
pagefile_0x0000006149ab0000 0x6149ab0000 0x6149ac3fff Pagefile Backed Memory r True False False -
private_0x0000006149ad0000 0x6149ad0000 0x6149b4ffff Private Memory rw True False False -
pagefile_0x0000006149b50000 0x6149b50000 0x6149b53fff Pagefile Backed Memory r True False False -
pagefile_0x0000006149b60000 0x6149b60000 0x6149b60fff Pagefile Backed Memory r True False False -
private_0x0000006149b70000 0x6149b70000 0x6149b71fff Private Memory rw True False False -
locale.nls 0x6149b80000 0x6149c3dfff Memory Mapped File r False False False -
private_0x0000006149c40000 0x6149c40000 0x6149cbffff Private Memory rw True False False -
private_0x0000006149cc0000 0x6149cc0000 0x6149cc6fff Private Memory rw True False False -
netmsg.dll 0x6149cd0000 0x6149cd2fff Memory Mapped File rwx False False False -
netmsg.dll.mui 0x6149ce0000 0x6149d11fff Memory Mapped File r False False False -
private_0x0000006149d40000 0x6149d40000 0x6149e3ffff Private Memory rw True False False -
private_0x0000006149f90000 0x6149f90000 0x6149f9ffff Private Memory rw True False False -
pagefile_0x00007df5ffd30000 0x7df5ffd30000 0x7ff5ffd2ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff719a90000 0x7ff719a90000 0x7ff719b8ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff719b90000 0x7ff719b90000 0x7ff719bb2fff Pagefile Backed Memory r True False False -
private_0x00007ff719bbb000 0x7ff719bbb000 0x7ff719bbcfff Private Memory rw True False False -
private_0x00007ff719bbd000 0x7ff719bbd000 0x7ff719bbefff Private Memory rw True False False -
private_0x00007ff719bbf000 0x7ff719bbf000 0x7ff719bbffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505b0000 0x7ffc505c3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x6149cd0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #100: net.exe
0 0
»
Information Value
ID #100
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:32, Reason: Child Process
Unmonitor End Time: 00:04:36, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x576c
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 5770
0x 58D0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000002a2d990000 0x2a2d990000 0x2a2d9affff Private Memory rw True False False -
pagefile_0x0000002a2d990000 0x2a2d990000 0x2a2d99ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000002a2d9b0000 0x2a2d9b0000 0x2a2d9c3fff Pagefile Backed Memory r True False False -
private_0x0000002a2d9d0000 0x2a2d9d0000 0x2a2da4ffff Private Memory rw True False False -
pagefile_0x0000002a2da50000 0x2a2da50000 0x2a2da53fff Pagefile Backed Memory r True False False -
pagefile_0x0000002a2da60000 0x2a2da60000 0x2a2da60fff Pagefile Backed Memory r True False False -
private_0x0000002a2da70000 0x2a2da70000 0x2a2da71fff Private Memory rw True False False -
private_0x0000002a2dac0000 0x2a2dac0000 0x2a2dbbffff Private Memory rw True False False -
locale.nls 0x2a2dbc0000 0x2a2dc7dfff Memory Mapped File r False False False -
pagefile_0x00007df5ffdc0000 0x7df5ffdc0000 0x7ff5ffdbffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7064e0000 0x7ff7064e0000 0x7ff7065dffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7065e0000 0x7ff7065e0000 0x7ff706602fff Pagefile Backed Memory r True False False -
private_0x00007ff706605000 0x7ff706605000 0x7ff706605fff Private Memory rw True False False -
private_0x00007ff70660e000 0x7ff70660e000 0x7ff70660ffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #102: net.exe
0 0
»
Information Value
ID #102
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:35, Reason: Child Process
Unmonitor End Time: 00:04:37, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x58dc
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 58E0
0x 5908
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000007008590000 0x7008590000 0x70085affff Private Memory rw True False False -
pagefile_0x0000007008590000 0x7008590000 0x700859ffff Pagefile Backed Memory rw True False False -
pagefile_0x00000070085b0000 0x70085b0000 0x70085c3fff Pagefile Backed Memory r True False False -
private_0x00000070085d0000 0x70085d0000 0x700864ffff Private Memory rw True False False -
pagefile_0x0000007008650000 0x7008650000 0x7008653fff Pagefile Backed Memory r True False False -
pagefile_0x0000007008660000 0x7008660000 0x7008660fff Pagefile Backed Memory r True False False -
private_0x0000007008670000 0x7008670000 0x7008671fff Private Memory rw True False False -
private_0x00000070086c0000 0x70086c0000 0x70087bffff Private Memory rw True False False -
locale.nls 0x70087c0000 0x700887dfff Memory Mapped File r False False False -
pagefile_0x00007df5ffc60000 0x7df5ffc60000 0x7ff5ffc5ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff705750000 0x7ff705750000 0x7ff70584ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff705850000 0x7ff705850000 0x7ff705872fff Pagefile Backed Memory r True False False -
private_0x00007ff70587d000 0x7ff70587d000 0x7ff70587efff Private Memory rw True False False -
private_0x00007ff70587f000 0x7ff70587f000 0x7ff70587ffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #104: net1.exe
20 0
»
Information Value
ID #104
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:35, Reason: Child Process
Unmonitor End Time: 00:04:36, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x58f4
Parent PID 0x576c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 58F8
0x 5904
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000e33c160000 0xe33c160000 0xe33c17ffff Private Memory rw True False False -
pagefile_0x000000e33c160000 0xe33c160000 0xe33c16ffff Pagefile Backed Memory rw True False False -
private_0x000000e33c170000 0xe33c170000 0xe33c176fff Private Memory rw True False False -
pagefile_0x000000e33c180000 0xe33c180000 0xe33c193fff Pagefile Backed Memory r True False False -
private_0x000000e33c1a0000 0xe33c1a0000 0xe33c21ffff Private Memory rw True False False -
pagefile_0x000000e33c220000 0xe33c220000 0xe33c223fff Pagefile Backed Memory r True False False -
pagefile_0x000000e33c230000 0xe33c230000 0xe33c230fff Pagefile Backed Memory r True False False -
private_0x000000e33c240000 0xe33c240000 0xe33c241fff Private Memory rw True False False -
private_0x000000e33c250000 0xe33c250000 0xe33c256fff Private Memory rw True False False -
private_0x000000e33c260000 0xe33c260000 0xe33c26ffff Private Memory rw True False False -
netmsg.dll 0xe33c270000 0xe33c272fff Memory Mapped File rwx False False False -
netmsg.dll.mui 0xe33c280000 0xe33c2b1fff Memory Mapped File r False False False -
private_0x000000e33c2c0000 0xe33c2c0000 0xe33c3bffff Private Memory rw True False False -
locale.nls 0xe33c3c0000 0xe33c47dfff Memory Mapped File r False False False -
private_0x000000e33c480000 0xe33c480000 0xe33c4fffff Private Memory rw True False False -
pagefile_0x00007df5ffa90000 0x7df5ffa90000 0x7ff5ffa8ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff71a050000 0x7ff71a050000 0x7ff71a14ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff71a150000 0x7ff71a150000 0x7ff71a172fff Pagefile Backed Memory r True False False -
private_0x00007ff71a17b000 0x7ff71a17b000 0x7ff71a17cfff Private Memory rw True False False -
private_0x00007ff71a17d000 0x7ff71a17d000 0x7ff71a17efff Private Memory rw True False False -
private_0x00007ff71a17f000 0x7ff71a17f000 0x7ff71a17ffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505b0000 0x7ffc505c3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0xe33c270000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #105: net1.exe
20 0
»
Information Value
ID #105
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:36, Reason: Child Process
Unmonitor End Time: 00:04:37, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x590c
Parent PID 0x58dc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 5910
0x 5914
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000ac9cb00000 0xac9cb00000 0xac9cb1ffff Private Memory rw True False False -
pagefile_0x000000ac9cb00000 0xac9cb00000 0xac9cb0ffff Pagefile Backed Memory rw True False False -
private_0x000000ac9cb10000 0xac9cb10000 0xac9cb16fff Private Memory rw True False False -
pagefile_0x000000ac9cb20000 0xac9cb20000 0xac9cb33fff Pagefile Backed Memory r True False False -
private_0x000000ac9cb40000 0xac9cb40000 0xac9cbbffff Private Memory rw True False False -
pagefile_0x000000ac9cbc0000 0xac9cbc0000 0xac9cbc3fff Pagefile Backed Memory r True False False -
pagefile_0x000000ac9cbd0000 0xac9cbd0000 0xac9cbd0fff Pagefile Backed Memory r True False False -
private_0x000000ac9cbe0000 0xac9cbe0000 0xac9cbe1fff Private Memory rw True False False -
locale.nls 0xac9cbf0000 0xac9ccadfff Memory Mapped File r False False False -
private_0x000000ac9ccb0000 0xac9ccb0000 0xac9cd2ffff Private Memory rw True False False -
private_0x000000ac9cd30000 0xac9cd30000 0xac9cd36fff Private Memory rw True False False -
netmsg.dll 0xac9cd40000 0xac9cd42fff Memory Mapped File rwx False False False -
netmsg.dll.mui 0xac9cd50000 0xac9cd81fff Memory Mapped File r False False False -
private_0x000000ac9cdc0000 0xac9cdc0000 0xac9cebffff Private Memory rw True False False -
private_0x000000ac9cf90000 0xac9cf90000 0xac9cf9ffff Private Memory rw True False False -
pagefile_0x00007df5ff5e0000 0x7df5ff5e0000 0x7ff5ff5dffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff719b10000 0x7ff719b10000 0x7ff719c0ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff719c10000 0x7ff719c10000 0x7ff719c32fff Pagefile Backed Memory r True False False -
private_0x00007ff719c37000 0x7ff719c37000 0x7ff719c37fff Private Memory rw True False False -
private_0x00007ff719c3c000 0x7ff719c3c000 0x7ff719c3dfff Private Memory rw True False False -
private_0x00007ff719c3e000 0x7ff719c3e000 0x7ff719c3ffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505b0000 0x7ffc505c3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0xac9cd40000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #106: net.exe
0 0
»
Information Value
ID #106
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:43, Reason: Child Process
Unmonitor End Time: 00:04:50, Reason: Self Terminated
Monitor Duration 00:00:07
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x5b1c
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 5B20
0x 5BB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000035ad320000 0x35ad320000 0x35ad33ffff Private Memory rw True False False -
pagefile_0x00000035ad320000 0x35ad320000 0x35ad32ffff Pagefile Backed Memory rw True False False -
pagefile_0x00000035ad340000 0x35ad340000 0x35ad353fff Pagefile Backed Memory r True False False -
private_0x00000035ad360000 0x35ad360000 0x35ad3dffff Private Memory rw True False False -
pagefile_0x00000035ad3e0000 0x35ad3e0000 0x35ad3e3fff Pagefile Backed Memory r True False False -
pagefile_0x00000035ad3f0000 0x35ad3f0000 0x35ad3f0fff Pagefile Backed Memory r True False False -
private_0x00000035ad400000 0x35ad400000 0x35ad401fff Private Memory rw True False False -
locale.nls 0x35ad410000 0x35ad4cdfff Memory Mapped File r False False False -
private_0x00000035ad520000 0x35ad520000 0x35ad61ffff Private Memory rw True False False -
pagefile_0x00007df5ff590000 0x7df5ff590000 0x7ff5ff58ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff705e20000 0x7ff705e20000 0x7ff705f1ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff705f20000 0x7ff705f20000 0x7ff705f42fff Pagefile Backed Memory r True False False -
private_0x00007ff705f4a000 0x7ff705f4a000 0x7ff705f4afff Private Memory rw True False False -
private_0x00007ff705f4e000 0x7ff705f4e000 0x7ff705f4ffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #108: net1.exe
20 0
»
Information Value
ID #108
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:45, Reason: Child Process
Unmonitor End Time: 00:04:49, Reason: Self Terminated
Monitor Duration 00:00:04
OS Process Information
»
Information Value
PID 0x5bc4
Parent PID 0x5b1c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 5BC8
0x 5BEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000ddc3b10000 0xddc3b10000 0xddc3b2ffff Private Memory rw True False False -
pagefile_0x000000ddc3b10000 0xddc3b10000 0xddc3b1ffff Pagefile Backed Memory rw True False False -
private_0x000000ddc3b20000 0xddc3b20000 0xddc3b26fff Private Memory rw True False False -
pagefile_0x000000ddc3b30000 0xddc3b30000 0xddc3b43fff Pagefile Backed Memory r True False False -
private_0x000000ddc3b50000 0xddc3b50000 0xddc3bcffff Private Memory rw True False False -
pagefile_0x000000ddc3bd0000 0xddc3bd0000 0xddc3bd3fff Pagefile Backed Memory r True False False -
pagefile_0x000000ddc3be0000 0xddc3be0000 0xddc3be0fff Pagefile Backed Memory r True False False -
private_0x000000ddc3bf0000 0xddc3bf0000 0xddc3bf1fff Private Memory rw True False False -
private_0x000000ddc3c00000 0xddc3c00000 0xddc3c06fff Private Memory rw True False False -
netmsg.dll 0xddc3c10000 0xddc3c12fff Memory Mapped File rwx False False False -
private_0x000000ddc3c50000 0xddc3c50000 0xddc3d4ffff Private Memory rw True False False -
locale.nls 0xddc3d50000 0xddc3e0dfff Memory Mapped File r False False False -
private_0x000000ddc3e10000 0xddc3e10000 0xddc3e8ffff Private Memory rw True False False -
netmsg.dll.mui 0xddc3e90000 0xddc3ec1fff Memory Mapped File r False False False -
private_0x000000ddc3ff0000 0xddc3ff0000 0xddc3ffffff Private Memory rw True False False -
pagefile_0x00007df5ff080000 0x7df5ff080000 0x7ff5ff07ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff719b10000 0x7ff719b10000 0x7ff719c0ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff719c10000 0x7ff719c10000 0x7ff719c32fff Pagefile Backed Memory r True False False -
private_0x00007ff719c36000 0x7ff719c36000 0x7ff719c36fff Private Memory rw True False False -
private_0x00007ff719c3c000 0x7ff719c3c000 0x7ff719c3dfff Private Memory rw True False False -
private_0x00007ff719c3e000 0x7ff719c3e000 0x7ff719c3ffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505b0000 0x7ffc505c3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0xddc3c10000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #109: net.exe
0 0
»
Information Value
ID #109
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:46, Reason: Child Process
Unmonitor End Time: 00:04:49, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x5904
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 58F4
0x 58F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000001221e40000 0x1221e40000 0x1221e5ffff Private Memory rw True False False -
pagefile_0x0000001221e40000 0x1221e40000 0x1221e4ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000001221e60000 0x1221e60000 0x1221e73fff Pagefile Backed Memory r True False False -
private_0x0000001221e80000 0x1221e80000 0x1221efffff Private Memory rw True False False -
pagefile_0x0000001221f00000 0x1221f00000 0x1221f03fff Pagefile Backed Memory r True False False -
pagefile_0x0000001221f10000 0x1221f10000 0x1221f10fff Pagefile Backed Memory r True False False -
private_0x0000001221f20000 0x1221f20000 0x1221f21fff Private Memory rw True False False -
locale.nls 0x1221f30000 0x1221fedfff Memory Mapped File r False False False -
private_0x0000001222090000 0x1222090000 0x122218ffff Private Memory rw True False False -
pagefile_0x00007df5ff2b0000 0x7df5ff2b0000 0x7ff5ff2affff Pagefile Backed Memory - True False False -
pagefile_0x00007ff706000000 0x7ff706000000 0x7ff7060fffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff706100000 0x7ff706100000 0x7ff706122fff Pagefile Backed Memory r True False False -
private_0x00007ff70612d000 0x7ff70612d000 0x7ff70612efff Private Memory rw True False False -
private_0x00007ff70612f000 0x7ff70612f000 0x7ff70612ffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #111: net1.exe
20 0
»
Information Value
ID #111
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:48, Reason: Child Process
Unmonitor End Time: 00:04:50, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x5c84
Parent PID 0x5904 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 5C88
0x 5D44
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000f7d5bf0000 0xf7d5bf0000 0xf7d5c0ffff Private Memory rw True False False -
pagefile_0x000000f7d5bf0000 0xf7d5bf0000 0xf7d5bfffff Pagefile Backed Memory rw True False False -
private_0x000000f7d5c00000 0xf7d5c00000 0xf7d5c06fff Private Memory rw True False False -
pagefile_0x000000f7d5c10000 0xf7d5c10000 0xf7d5c23fff Pagefile Backed Memory r True False False -
private_0x000000f7d5c30000 0xf7d5c30000 0xf7d5caffff Private Memory rw True False False -
pagefile_0x000000f7d5cb0000 0xf7d5cb0000 0xf7d5cb3fff Pagefile Backed Memory r True False False -
pagefile_0x000000f7d5cc0000 0xf7d5cc0000 0xf7d5cc0fff Pagefile Backed Memory r True False False -
private_0x000000f7d5cd0000 0xf7d5cd0000 0xf7d5cd1fff Private Memory rw True False False -
locale.nls 0xf7d5ce0000 0xf7d5d9dfff Memory Mapped File r False False False -
private_0x000000f7d5da0000 0xf7d5da0000 0xf7d5da6fff Private Memory rw True False False -
netmsg.dll 0xf7d5db0000 0xf7d5db2fff Memory Mapped File rwx False False False -
netmsg.dll.mui 0xf7d5dc0000 0xf7d5df1fff Memory Mapped File r False False False -
private_0x000000f7d5e10000 0xf7d5e10000 0xf7d5f0ffff Private Memory rw True False False -
private_0x000000f7d5f10000 0xf7d5f10000 0xf7d5f8ffff Private Memory rw True False False -
private_0x000000f7d60e0000 0xf7d60e0000 0xf7d60effff Private Memory rw True False False -
pagefile_0x00007df5ff610000 0x7df5ff610000 0x7ff5ff60ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff719510000 0x7ff719510000 0x7ff71960ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff719610000 0x7ff719610000 0x7ff719632fff Pagefile Backed Memory r True False False -
private_0x00007ff71963a000 0x7ff71963a000 0x7ff71963bfff Private Memory rw True False False -
private_0x00007ff71963c000 0x7ff71963c000 0x7ff71963dfff Private Memory rw True False False -
private_0x00007ff71963e000 0x7ff71963e000 0x7ff71963efff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505b0000 0x7ffc505c3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0xf7d5db0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #112: net.exe
0 0
»
Information Value
ID #112
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:53, Reason: Child Process
Unmonitor End Time: 00:04:55, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x5e50
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 5E54
0x 5EAC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000001f68540000 0x1f68540000 0x1f6855ffff Private Memory rw True False False -
pagefile_0x0000001f68540000 0x1f68540000 0x1f6854ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000001f68560000 0x1f68560000 0x1f68573fff Pagefile Backed Memory r True False False -
private_0x0000001f68580000 0x1f68580000 0x1f685fffff Private Memory rw True False False -
pagefile_0x0000001f68600000 0x1f68600000 0x1f68603fff Pagefile Backed Memory r True False False -
pagefile_0x0000001f68610000 0x1f68610000 0x1f68610fff Pagefile Backed Memory r True False False -
private_0x0000001f68620000 0x1f68620000 0x1f68621fff Private Memory rw True False False -
locale.nls 0x1f68630000 0x1f686edfff Memory Mapped File r False False False -
private_0x0000001f687d0000 0x1f687d0000 0x1f688cffff Private Memory rw True False False -
pagefile_0x00007df5ff6a0000 0x7df5ff6a0000 0x7ff5ff69ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff705880000 0x7ff705880000 0x7ff70597ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff705980000 0x7ff705980000 0x7ff7059a2fff Pagefile Backed Memory r True False False -
private_0x00007ff7059ad000 0x7ff7059ad000 0x7ff7059aefff Private Memory rw True False False -
private_0x00007ff7059af000 0x7ff7059af000 0x7ff7059affff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #114: net1.exe
20 0
»
Information Value
ID #114
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:54, Reason: Child Process
Unmonitor End Time: 00:04:54, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x5eb0
Parent PID 0x5e50 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 5EB4
0x 5ECC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000d36c270000 0xd36c270000 0xd36c28ffff Private Memory rw True False False -
pagefile_0x000000d36c270000 0xd36c270000 0xd36c27ffff Pagefile Backed Memory rw True False False -
private_0x000000d36c280000 0xd36c280000 0xd36c286fff Private Memory rw True False False -
pagefile_0x000000d36c290000 0xd36c290000 0xd36c2a3fff Pagefile Backed Memory r True False False -
private_0x000000d36c2b0000 0xd36c2b0000 0xd36c32ffff Private Memory rw True False False -
pagefile_0x000000d36c330000 0xd36c330000 0xd36c333fff Pagefile Backed Memory r True False False -
pagefile_0x000000d36c340000 0xd36c340000 0xd36c340fff Pagefile Backed Memory r True False False -
private_0x000000d36c350000 0xd36c350000 0xd36c351fff Private Memory rw True False False -
locale.nls 0xd36c360000 0xd36c41dfff Memory Mapped File r False False False -
private_0x000000d36c420000 0xd36c420000 0xd36c51ffff Private Memory rw True False False -
private_0x000000d36c520000 0xd36c520000 0xd36c59ffff Private Memory rw True False False -
private_0x000000d36c5a0000 0xd36c5a0000 0xd36c5a6fff Private Memory rw True False False -
netmsg.dll 0xd36c5b0000 0xd36c5b2fff Memory Mapped File rwx False False False -
netmsg.dll.mui 0xd36c5c0000 0xd36c5f1fff Memory Mapped File r False False False -
private_0x000000d36c700000 0xd36c700000 0xd36c70ffff Private Memory rw True False False -
pagefile_0x00007df5ff470000 0x7df5ff470000 0x7ff5ff46ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7198b0000 0x7ff7198b0000 0x7ff7199affff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7199b0000 0x7ff7199b0000 0x7ff7199d2fff Pagefile Backed Memory r True False False -
private_0x00007ff7199db000 0x7ff7199db000 0x7ff7199dcfff Private Memory rw True False False -
private_0x00007ff7199dd000 0x7ff7199dd000 0x7ff7199ddfff Private Memory rw True False False -
private_0x00007ff7199de000 0x7ff7199de000 0x7ff7199dffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505a0000 0x7ffc505b3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0xd36c5b0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #115: net.exe
0 0
»
Information Value
ID #115
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:56, Reason: Child Process
Unmonitor End Time: 00:04:59, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x5f58
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 5F5C
0x 5F94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000003e74330000 0x3e74330000 0x3e7434ffff Private Memory rw True False False -
pagefile_0x0000003e74330000 0x3e74330000 0x3e7433ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000003e74350000 0x3e74350000 0x3e74363fff Pagefile Backed Memory r True False False -
private_0x0000003e74370000 0x3e74370000 0x3e743effff Private Memory rw True False False -
pagefile_0x0000003e743f0000 0x3e743f0000 0x3e743f3fff Pagefile Backed Memory r True False False -
pagefile_0x0000003e74400000 0x3e74400000 0x3e74400fff Pagefile Backed Memory r True False False -
private_0x0000003e74410000 0x3e74410000 0x3e74411fff Private Memory rw True False False -
locale.nls 0x3e74420000 0x3e744ddfff Memory Mapped File r False False False -
private_0x0000003e745f0000 0x3e745f0000 0x3e746effff Private Memory rw True False False -
pagefile_0x00007df5fff20000 0x7df5fff20000 0x7ff5fff1ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7057a0000 0x7ff7057a0000 0x7ff70589ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7058a0000 0x7ff7058a0000 0x7ff7058c2fff Pagefile Backed Memory r True False False -
private_0x00007ff7058cb000 0x7ff7058cb000 0x7ff7058cbfff Private Memory rw True False False -
private_0x00007ff7058ce000 0x7ff7058ce000 0x7ff7058cffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #117: net1.exe
20 0
»
Information Value
ID #117
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:04:57, Reason: Child Process
Unmonitor End Time: 00:04:58, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x5fa8
Parent PID 0x5f58 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 5FAC
0x 5FB0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000df0e8a0000 0xdf0e8a0000 0xdf0e8bffff Private Memory rw True False False -
pagefile_0x000000df0e8a0000 0xdf0e8a0000 0xdf0e8affff Pagefile Backed Memory rw True False False -
private_0x000000df0e8b0000 0xdf0e8b0000 0xdf0e8b6fff Private Memory rw True False False -
pagefile_0x000000df0e8c0000 0xdf0e8c0000 0xdf0e8d3fff Pagefile Backed Memory r True False False -
private_0x000000df0e8e0000 0xdf0e8e0000 0xdf0e95ffff Private Memory rw True False False -
pagefile_0x000000df0e960000 0xdf0e960000 0xdf0e963fff Pagefile Backed Memory r True False False -
pagefile_0x000000df0e970000 0xdf0e970000 0xdf0e970fff Pagefile Backed Memory r True False False -
private_0x000000df0e980000 0xdf0e980000 0xdf0e981fff Private Memory rw True False False -
locale.nls 0xdf0e990000 0xdf0ea4dfff Memory Mapped File r False False False -
private_0x000000df0ea50000 0xdf0ea50000 0xdf0eacffff Private Memory rw True False False -
private_0x000000df0ead0000 0xdf0ead0000 0xdf0ead6fff Private Memory rw True False False -
netmsg.dll 0xdf0eae0000 0xdf0eae2fff Memory Mapped File rwx False False False -
private_0x000000df0eb00000 0xdf0eb00000 0xdf0ebfffff Private Memory rw True False False -
netmsg.dll.mui 0xdf0ec00000 0xdf0ec31fff Memory Mapped File r False False False -
private_0x000000df0ec60000 0xdf0ec60000 0xdf0ec6ffff Private Memory rw True False False -
pagefile_0x00007df5ff240000 0x7df5ff240000 0x7ff5ff23ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff719600000 0x7ff719600000 0x7ff7196fffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff719700000 0x7ff719700000 0x7ff719722fff Pagefile Backed Memory r True False False -
private_0x00007ff719725000 0x7ff719725000 0x7ff719725fff Private Memory rw True False False -
private_0x00007ff71972c000 0x7ff71972c000 0x7ff71972dfff Private Memory rw True False False -
private_0x00007ff71972e000 0x7ff71972e000 0x7ff71972ffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505a0000 0x7ffc505b3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0xdf0eae0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #118: net.exe
0 0
»
Information Value
ID #118
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:05:03, Reason: Child Process
Unmonitor End Time: 00:05:07, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x6498
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 649C
0x 64B8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000777dbf0000 0x777dbf0000 0x777dc0ffff Private Memory rw True False False -
pagefile_0x000000777dbf0000 0x777dbf0000 0x777dbfffff Pagefile Backed Memory rw True False False -
pagefile_0x000000777dc10000 0x777dc10000 0x777dc23fff Pagefile Backed Memory r True False False -
private_0x000000777dc30000 0x777dc30000 0x777dcaffff Private Memory rw True False False -
pagefile_0x000000777dcb0000 0x777dcb0000 0x777dcb3fff Pagefile Backed Memory r True False False -
pagefile_0x000000777dcc0000 0x777dcc0000 0x777dcc0fff Pagefile Backed Memory r True False False -
private_0x000000777dcd0000 0x777dcd0000 0x777dcd1fff Private Memory rw True False False -
locale.nls 0x777dce0000 0x777dd9dfff Memory Mapped File r False False False -
private_0x000000777dde0000 0x777dde0000 0x777dedffff Private Memory rw True False False -
pagefile_0x00007df5ff2d0000 0x7df5ff2d0000 0x7ff5ff2cffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7062a0000 0x7ff7062a0000 0x7ff70639ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7063a0000 0x7ff7063a0000 0x7ff7063c2fff Pagefile Backed Memory r True False False -
private_0x00007ff7063c4000 0x7ff7063c4000 0x7ff7063c4fff Private Memory rw True False False -
private_0x00007ff7063ce000 0x7ff7063ce000 0x7ff7063cffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #120: net1.exe
20 0
»
Information Value
ID #120
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:05:04, Reason: Child Process
Unmonitor End Time: 00:05:06, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x64d0
Parent PID 0x6498 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 64D4
0x 64E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000000dc36e0000 0xdc36e0000 0xdc36fffff Private Memory rw True False False -
pagefile_0x0000000dc36e0000 0xdc36e0000 0xdc36effff Pagefile Backed Memory rw True False False -
private_0x0000000dc36f0000 0xdc36f0000 0xdc36f6fff Private Memory rw True False False -
pagefile_0x0000000dc3700000 0xdc3700000 0xdc3713fff Pagefile Backed Memory r True False False -
private_0x0000000dc3720000 0xdc3720000 0xdc379ffff Private Memory rw True False False -
pagefile_0x0000000dc37a0000 0xdc37a0000 0xdc37a3fff Pagefile Backed Memory r True False False -
pagefile_0x0000000dc37b0000 0xdc37b0000 0xdc37b0fff Pagefile Backed Memory r True False False -
private_0x0000000dc37c0000 0xdc37c0000 0xdc37c1fff Private Memory rw True False False -
private_0x0000000dc37d0000 0xdc37d0000 0xdc384ffff Private Memory rw True False False -
private_0x0000000dc3850000 0xdc3850000 0xdc394ffff Private Memory rw True False False -
locale.nls 0xdc3950000 0xdc3a0dfff Memory Mapped File r False False False -
private_0x0000000dc3a10000 0xdc3a10000 0xdc3a1ffff Private Memory rw True False False -
private_0x0000000dc3a20000 0xdc3a20000 0xdc3a26fff Private Memory rw True False False -
netmsg.dll 0xdc3a30000 0xdc3a32fff Memory Mapped File rwx False False False -
netmsg.dll.mui 0xdc3a40000 0xdc3a71fff Memory Mapped File r False False False -
pagefile_0x00007df5ff970000 0x7df5ff970000 0x7ff5ff96ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff71a0a0000 0x7ff71a0a0000 0x7ff71a19ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff71a1a0000 0x7ff71a1a0000 0x7ff71a1c2fff Pagefile Backed Memory r True False False -
private_0x00007ff71a1ca000 0x7ff71a1ca000 0x7ff71a1cafff Private Memory rw True False False -
private_0x00007ff71a1cc000 0x7ff71a1cc000 0x7ff71a1cdfff Private Memory rw True False False -
private_0x00007ff71a1ce000 0x7ff71a1ce000 0x7ff71a1cffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505a0000 0x7ffc505b3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0xdc3a30000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #121: net.exe
0 0
»
Information Value
ID #121
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:05:07, Reason: Child Process
Unmonitor End Time: 00:05:10, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x65a4
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 65A8
0x 65F4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000005420410000 0x5420410000 0x542042ffff Private Memory rw True False False -
pagefile_0x0000005420410000 0x5420410000 0x542041ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000005420430000 0x5420430000 0x5420443fff Pagefile Backed Memory r True False False -
private_0x0000005420450000 0x5420450000 0x54204cffff Private Memory rw True False False -
pagefile_0x00000054204d0000 0x54204d0000 0x54204d3fff Pagefile Backed Memory r True False False -
pagefile_0x00000054204e0000 0x54204e0000 0x54204e0fff Pagefile Backed Memory r True False False -
private_0x00000054204f0000 0x54204f0000 0x54204f1fff Private Memory rw True False False -
locale.nls 0x5420500000 0x54205bdfff Memory Mapped File r False False False -
private_0x0000005420680000 0x5420680000 0x542077ffff Private Memory rw True False False -
pagefile_0x00007df5ffbe0000 0x7df5ffbe0000 0x7ff5ffbdffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff705ec0000 0x7ff705ec0000 0x7ff705fbffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff705fc0000 0x7ff705fc0000 0x7ff705fe2fff Pagefile Backed Memory r True False False -
private_0x00007ff705fec000 0x7ff705fec000 0x7ff705fecfff Private Memory rw True False False -
private_0x00007ff705fee000 0x7ff705fee000 0x7ff705feffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #123: net1.exe
20 0
»
Information Value
ID #123
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:05:07, Reason: Child Process
Unmonitor End Time: 00:05:08, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x65f8
Parent PID 0x65a4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 65FC
0x 661C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000a48f330000 0xa48f330000 0xa48f34ffff Private Memory rw True False False -
pagefile_0x000000a48f330000 0xa48f330000 0xa48f33ffff Pagefile Backed Memory rw True False False -
private_0x000000a48f340000 0xa48f340000 0xa48f346fff Private Memory rw True False False -
pagefile_0x000000a48f350000 0xa48f350000 0xa48f363fff Pagefile Backed Memory r True False False -
private_0x000000a48f370000 0xa48f370000 0xa48f3effff Private Memory rw True False False -
pagefile_0x000000a48f3f0000 0xa48f3f0000 0xa48f3f3fff Pagefile Backed Memory r True False False -
pagefile_0x000000a48f400000 0xa48f400000 0xa48f400fff Pagefile Backed Memory r True False False -
private_0x000000a48f410000 0xa48f410000 0xa48f411fff Private Memory rw True False False -
private_0x000000a48f420000 0xa48f420000 0xa48f49ffff Private Memory rw True False False -
private_0x000000a48f4a0000 0xa48f4a0000 0xa48f59ffff Private Memory rw True False False -
locale.nls 0xa48f5a0000 0xa48f65dfff Memory Mapped File r False False False -
private_0x000000a48f660000 0xa48f660000 0xa48f666fff Private Memory rw True False False -
netmsg.dll 0xa48f670000 0xa48f672fff Memory Mapped File rwx False False False -
private_0x000000a48f690000 0xa48f690000 0xa48f69ffff Private Memory rw True False False -
netmsg.dll.mui 0xa48f6a0000 0xa48f6d1fff Memory Mapped File r False False False -
pagefile_0x00007df5ffc80000 0x7df5ffc80000 0x7ff5ffc7ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff719f00000 0x7ff719f00000 0x7ff719ffffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff71a000000 0x7ff71a000000 0x7ff71a022fff Pagefile Backed Memory r True False False -
private_0x00007ff71a028000 0x7ff71a028000 0x7ff71a028fff Private Memory rw True False False -
private_0x00007ff71a02c000 0x7ff71a02c000 0x7ff71a02dfff Private Memory rw True False False -
private_0x00007ff71a02e000 0x7ff71a02e000 0x7ff71a02ffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505a0000 0x7ffc505b3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0xa48f670000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #124: net.exe
0 0
»
Information Value
ID #124
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:05:14, Reason: Child Process
Unmonitor End Time: 00:05:16, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x3f0
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 3CC
0x 6838
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000bfc7d50000 0xbfc7d50000 0xbfc7d6ffff Private Memory rw True False False -
pagefile_0x000000bfc7d50000 0xbfc7d50000 0xbfc7d5ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000bfc7d70000 0xbfc7d70000 0xbfc7d83fff Pagefile Backed Memory r True False False -
private_0x000000bfc7d90000 0xbfc7d90000 0xbfc7e0ffff Private Memory rw True False False -
pagefile_0x000000bfc7e10000 0xbfc7e10000 0xbfc7e13fff Pagefile Backed Memory r True False False -
pagefile_0x000000bfc7e20000 0xbfc7e20000 0xbfc7e20fff Pagefile Backed Memory r True False False -
private_0x000000bfc7e30000 0xbfc7e30000 0xbfc7e31fff Private Memory rw True False False -
locale.nls 0xbfc7e40000 0xbfc7efdfff Memory Mapped File r False False False -
private_0x000000bfc7fd0000 0xbfc7fd0000 0xbfc80cffff Private Memory rw True False False -
pagefile_0x00007df5fff00000 0x7df5fff00000 0x7ff5ffefffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff706180000 0x7ff706180000 0x7ff70627ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff706280000 0x7ff706280000 0x7ff7062a2fff Pagefile Backed Memory r True False False -
private_0x00007ff7062ad000 0x7ff7062ad000 0x7ff7062aefff Private Memory rw True False False -
private_0x00007ff7062af000 0x7ff7062af000 0x7ff7062affff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #126: net1.exe
20 0
»
Information Value
ID #126
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:05:14, Reason: Child Process
Unmonitor End Time: 00:05:16, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x683c
Parent PID 0x3f0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6840
0x 6848
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000030d2db0000 0x30d2db0000 0x30d2dcffff Private Memory rw True False False -
pagefile_0x00000030d2db0000 0x30d2db0000 0x30d2dbffff Pagefile Backed Memory rw True False False -
private_0x00000030d2dc0000 0x30d2dc0000 0x30d2dc6fff Private Memory rw True False False -
pagefile_0x00000030d2dd0000 0x30d2dd0000 0x30d2de3fff Pagefile Backed Memory r True False False -
private_0x00000030d2df0000 0x30d2df0000 0x30d2e6ffff Private Memory rw True False False -
pagefile_0x00000030d2e70000 0x30d2e70000 0x30d2e73fff Pagefile Backed Memory r True False False -
pagefile_0x00000030d2e80000 0x30d2e80000 0x30d2e80fff Pagefile Backed Memory r True False False -
private_0x00000030d2e90000 0x30d2e90000 0x30d2e91fff Private Memory rw True False False -
locale.nls 0x30d2ea0000 0x30d2f5dfff Memory Mapped File r False False False -
private_0x00000030d2f60000 0x30d2f60000 0x30d2fdffff Private Memory rw True False False -
private_0x00000030d2fe0000 0x30d2fe0000 0x30d2fe6fff Private Memory rw True False False -
netmsg.dll 0x30d2ff0000 0x30d2ff2fff Memory Mapped File rwx False False False -
private_0x00000030d3000000 0x30d3000000 0x30d30fffff Private Memory rw True False False -
private_0x00000030d3120000 0x30d3120000 0x30d312ffff Private Memory rw True False False -
netmsg.dll.mui 0x30d3130000 0x30d3161fff Memory Mapped File r False False False -
pagefile_0x00007df5ffd80000 0x7df5ffd80000 0x7ff5ffd7ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7199d0000 0x7ff7199d0000 0x7ff719acffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff719ad0000 0x7ff719ad0000 0x7ff719af2fff Pagefile Backed Memory r True False False -
private_0x00007ff719afa000 0x7ff719afa000 0x7ff719afbfff Private Memory rw True False False -
private_0x00007ff719afc000 0x7ff719afc000 0x7ff719afcfff Private Memory rw True False False -
private_0x00007ff719afe000 0x7ff719afe000 0x7ff719afffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505a0000 0x7ffc505b3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x30d2ff0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Process #127: net.exe
0 0
»
Information Value
ID #127
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:05:17, Reason: Child Process
Unmonitor End Time: 00:05:21, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x69c0
Parent PID 0x52c (c:\users\public\mksmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 69C4
0x 6B94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000019e8540000 0x19e8540000 0x19e855ffff Private Memory rw True False False -
pagefile_0x00000019e8540000 0x19e8540000 0x19e854ffff Pagefile Backed Memory rw True False False -
pagefile_0x00000019e8560000 0x19e8560000 0x19e8573fff Pagefile Backed Memory r True False False -
private_0x00000019e8580000 0x19e8580000 0x19e85fffff Private Memory rw True False False -
pagefile_0x00000019e8600000 0x19e8600000 0x19e8603fff Pagefile Backed Memory r True False False -
pagefile_0x00000019e8610000 0x19e8610000 0x19e8610fff Pagefile Backed Memory r True False False -
private_0x00000019e8620000 0x19e8620000 0x19e8621fff Private Memory rw True False False -
private_0x00000019e86d0000 0x19e86d0000 0x19e87cffff Private Memory rw True False False -
locale.nls 0x19e87d0000 0x19e888dfff Memory Mapped File r False False False -
pagefile_0x00007df5ff210000 0x7df5ff210000 0x7ff5ff20ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff705da0000 0x7ff705da0000 0x7ff705e9ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff705ea0000 0x7ff705ea0000 0x7ff705ec2fff Pagefile Backed Memory r True False False -
private_0x00007ff705eca000 0x7ff705eca000 0x7ff705ecafff Private Memory rw True False False -
private_0x00007ff705ece000 0x7ff705ece000 0x7ff705ecffff Private Memory rw True False False -
net.exe 0x7ff7067c0000 0x7ff7067dcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Process #129: net1.exe
20 0
»
Information Value
ID #129
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "samss" /y
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:05:19, Reason: Child Process
Unmonitor End Time: 00:05:22, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0x6be4
Parent PID 0x69c0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6BE8
0x 6C2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000009a319c0000 0x9a319c0000 0x9a319dffff Private Memory rw True False False -
pagefile_0x0000009a319c0000 0x9a319c0000 0x9a319cffff Pagefile Backed Memory rw True False False -
private_0x0000009a319d0000 0x9a319d0000 0x9a319d6fff Private Memory rw True False False -
pagefile_0x0000009a319e0000 0x9a319e0000 0x9a319f3fff Pagefile Backed Memory r True False False -
private_0x0000009a31a00000 0x9a31a00000 0x9a31a7ffff Private Memory rw True False False -
pagefile_0x0000009a31a80000 0x9a31a80000 0x9a31a83fff Pagefile Backed Memory r True False False -
pagefile_0x0000009a31a90000 0x9a31a90000 0x9a31a90fff Pagefile Backed Memory r True False False -
private_0x0000009a31aa0000 0x9a31aa0000 0x9a31aa1fff Private Memory rw True False False -
locale.nls 0x9a31ab0000 0x9a31b6dfff Memory Mapped File r False False False -
private_0x0000009a31b70000 0x9a31b70000 0x9a31b76fff Private Memory rw True False False -
private_0x0000009a31b80000 0x9a31b80000 0x9a31b8ffff Private Memory rw True False False -
netmsg.dll 0x9a31b90000 0x9a31b92fff Memory Mapped File rwx False False False -
private_0x0000009a31bb0000 0x9a31bb0000 0x9a31caffff Private Memory rw True False False -
private_0x0000009a31cb0000 0x9a31cb0000 0x9a31d2ffff Private Memory rw True False False -
netmsg.dll.mui 0x9a31d30000 0x9a31d61fff Memory Mapped File r False False False -
pagefile_0x00007df5fff80000 0x7df5fff80000 0x7ff5fff7ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff71a300000 0x7ff71a300000 0x7ff71a3fffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff71a400000 0x7ff71a400000 0x7ff71a422fff Pagefile Backed Memory r True False False -
private_0x00007ff71a42a000 0x7ff71a42a000 0x7ff71a42bfff Private Memory rw True False False -
private_0x00007ff71a42c000 0x7ff71a42c000 0x7ff71a42cfff Private Memory rw True False False -
private_0x00007ff71a42e000 0x7ff71a42e000 0x7ff71a42ffff Private Memory rw True False False -
net1.exe 0x7ff71a490000 0x7ff71a4cbfff Memory Mapped File rwx True False False -
browcli.dll 0x7ffc505a0000 0x7ffc505b3fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffc50ec0000 0x7ffc50ed7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffc514b0000 0x7ffc514c5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7ffc51ca0000 0x7ffc51ca9fff Memory Mapped File rwx False False False -
netutils.dll 0x7ffc53830000 0x7ffc5383bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffc53840000 0x7ffc53865fff Memory Mapped File rwx False False False -
logoncli.dll 0x7ffc53ba0000 0x7ffc53bddfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffc543a0000 0x7ffc543c7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffc55040000 0x7ffc5521cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffc552c0000 0x7ffc5535cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffc55800000 0x7ffc558acfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffc570a0000 0x7ffc571c5fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffc57540000 0x7ffc5759afff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffc57b50000 0x7ffc57d11fff Memory Mapped File rwx False False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x9a31b90000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0x7ff71a490000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (7)
»
Operation Additional Information Success Count Logfile
Control service_name = SAMSS True 1
Fn
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image