1f0a6c92c237cbf344dedc841259f1da6b2d8742fcafb6926f746a48bbe0919f (SHA256)
%APPDATA%roamingmicrosoftwindowsstart menuprogramsstartup8gfg.exe
Windows Exe (x86-32)
Created at 2019-01-04 14:38:00
Notifications (2/2)
The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.
The operating system was rebooted during the analysis.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: %appdata%roamingmicrosoftwindowsstart menuprogramsstartup8gfg.exe
10
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\5p5nrgjn0js halpmcxz\desktop\%appdata%roamingmicrosoftwindowsstart menuprogramsstartup8gfg.exe |
| Command Line | "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\%APPDATA%roamingmicrosoftwindowsstart menuprogramsstartup8gfg.exe" |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:55, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:08, Reason: Self Terminated |
| Monitor Duration | 00:00:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaac |
| Parent PID | 0x458 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AB0
0x
0
0x
ABC
0x
AC0
0x
AC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x000fffff | Private Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x00100000 | 0x0013bfff | Memory Mapped File | r |
|
|
|
- |
| windowsshell.manifest | 0x00100000 | 0x00100fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00100fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00111fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x00130000 | 0x00133fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x00130000 | 0x00133fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db | 0x00190000 | 0x001aefff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db | 0x002b0000 | 0x002dffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x002e0000 | 0x002e3fff | Memory Mapped File | r |
|
|
|
- |
| %appdata%roamingmicrosoftwindowsstart menuprogramsstartup8gfg.exe | 0x002f0000 | 0x002f8fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000000300000 | 0x00300000 | 0x00306fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00311fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00320fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00460000 | 0x004c6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x006c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x00850fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x01c5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01c60000 | 0x01f2efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001f30000 | 0x01f30000 | 0x0200ffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01f30000 | 0x01f95fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001fd0000 | 0x01fd0000 | 0x0200ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002010000 | 0x02010000 | 0x020eefff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000020f0000 | 0x020f0000 | 0x021f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002190000 | 0x02190000 | 0x021cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021f0000 | 0x021f0000 | 0x022effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000022f0000 | 0x022f0000 | 0x023f0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000022f0000 | 0x022f0000 | 0x026e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000026f0000 | 0x026f0000 | 0x027f0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027a0000 | 0x027a0000 | 0x027dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028c0000 | 0x028c0000 | 0x029bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a80000 | 0x02a80000 | 0x02b7ffff | Private Memory | rw |
|
|
|
- |
| uxtheme.dll | 0x74d00000 | 0x74d7ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x74ec0000 | 0x74eedfff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ef0000 | 0x74f3bfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x74f40000 | 0x74f4afff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74f50000 | 0x74f70fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74f80000 | 0x7511dfff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x75120000 | 0x75214fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x75220000 | 0x7525afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75260000 | 0x75275fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x75280000 | 0x75291fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x754b0000 | 0x75532fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75540000 | 0x7569bfff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x756a0000 | 0x756e4fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x757f0000 | 0x759eafff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x75be0000 | 0x75cd4fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75ce0000 | 0x75d36fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75e10000 | 0x75e21fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75f60000 | 0x75feefff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x75ff0000 | 0x7618cfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76190000 | 0x762acfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x762e0000 | 0x76415fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x76640000 | 0x76666fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76670000 | 0x772b9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x772c0000 | 0x772cbfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\%APPDATA%roamingmicrosoftwindowsstart menuprogramsstartup8gfg.exe | 18.00 KB |
MD5:
5a054e4b94c144afdf259c0ba19d0693
SHA1: 42449f01ac3e9b0676a75d6053ec3a566d6f14a3 SHA256: 1f0a6c92c237cbf344dedc841259f1da6b2d8742fcafb6926f746a48bbe0919f SSDeep: 384:95/Gu5S5C2js70eOeF5eawczDyhoZhKrbr:9BGX42jsNzNXzDyhoZUrb |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YFeKw5dmGYVjgc.exe | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| C:\Users\5P5NRG~1\AppData\Local\Temp\1296.tmp.bat | 0.30 KB |
MD5:
2e83fd14e6b70b3b3b3a7b1c47b2fc1f
SHA1: a60113e1e6be64da73695c5ec56ba9fef1409392 SHA256: 244fe82fa86db3766b8df452f52ecd1c3daf7db51ff8c12315d5477a35aa1a56 SSDeep: 6:hHUTk4FA8y40MhiXoKKWOrIvMD2UUTk4FA8y40MhiXoKKWOrY0/Hm1gfbci23fSD:eT6x40MkXXNOqT6x40MkXXNOM0/Hm+zn |
|
|
Host Behavior
File (4)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5P5NRG~1\AppData\Local\Temp\1296.tmp.bat | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Temp File | C:\Users\5P5NRG~1\AppData\Local\Temp\1296.tmp | path = C:\Users\5P5NRG~1\AppData\Local\Temp |
|
1 | |
| Copy | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YFeKw5dmGYVjgc.exe | source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\%APPDATA%roamingmicrosoftwindowsstart menuprogramsstartup8gfg.exe |
|
1 | |
| Write | C:\Users\5P5NRG~1\AppData\Local\Temp\1296.tmp.bat | size = 309 |
|
1 |
Registry (1)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender | - |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YFeKw5dmGYVjgc.exe | show_window = SW_SHOW |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xad0, creation_flags = CREATE_DEFAULT_ERROR_MODE, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\users\5p5nrgjn0js halpmcxz\desktop\%appdata%roamingmicrosoftwindowsstart menuprogramsstartup8gfg.exe | base_address = 0x2f0000 |
|
1 | |
| Get Filename | - | process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\%appdata%roamingmicrosoftwindowsstart menuprogramsstartup8gfg.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\%APPDATA%roamingmicrosoftwindowsstart menuprogramsstartup8gfg.exe, size = 260 |
|
2 |
Process #2: yfekw5dmgyvjgc.exe
2477
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\start menu\programs\startup\yfekw5dmgyvjgc.exe |
| Command Line | "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YFeKw5dmGYVjgc.exe" |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:02:06, Reason: Child Process |
| Unmonitor | End Time: 00:02:31, Reason: Self Terminated |
| Monitor Duration | 00:00:25 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xac8 |
| Parent PID | 0xaac (c:\users\5p5nrgjn0js halpmcxz\desktop\%appdata%roamingmicrosoftwindowsstart menuprogramsstartup8gfg.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ACC
0x
AF8
0x
AFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0006ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00067fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00077fff | Pagefile Backed Memory | rw |
|
|
|
- |
| yfekw5dmgyvjgc.exe | 0x00080000 | 0x00088fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | r |
|
|
|
- |
| rsaenh.dll | 0x00160000 | 0x0019bfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x00737fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x00930fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x01d3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01d40000 | 0x0200efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002080000 | 0x02080000 | 0x020bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002110000 | 0x02110000 | 0x0220ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023c0000 | 0x023c0000 | 0x024bffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x75200000 | 0x7523afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75240000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x75280000 | 0x75291fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75540000 | 0x7569bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75ce0000 | 0x75d36fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76670000 | 0x772b9fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml | 2.49 KB |
MD5:
aa24cf4316545a6d76559617d9de4e81
SHA1: 84a8f9ddd37b0b64589418122e3c5af4dc664d33 SHA256: 0b92f62ee86a7acad8e983dfce98bff8297daec0405efdf1942993fe0df0fbd6 SSDeep: 48:uILJqxjAXXwT/n3+rK5ZB7Xr3lGoNBiliZqzKPCsFtV2tM7m:LLwRrXBN73iliUzKZteM6 |
|
|
| \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi | 2.39 MB |
MD5:
86c67c9ce448a0a992cdcd8fd37a227a
SHA1: 34da7b9e555263fabdef2e7388855e6a43d4ef04 SHA256: 674e94ed7e8e1f6381843dd39157b93eab518615362aaf89668caeabbee69d60 SSDeep: 49152:LNIDxihRZ2dfi18m90hzj3ixoUKgjs5oz8+YnFqKyxghZf2rXy9SB44qXcmH:2xihRZ2dfJmOhzDixJLjs5oz8PExAf2U |
|
|
| debug.log | 7.76 KB |
MD5:
a67db75a1f2f813da54317a661354887
SHA1: b37f2701fc414201a0af34820e6b896c27ef9a75 SHA256: cc4a7f6af53cea59dffde21082d2c7cc3f20c29f98228b43f8c9a4aa1e929355 SSDeep: 96:bGsQaziuw6fc6dZeDmhZKv/MyJ20XUKCr70zZgp7A21aII:1hzLfBvgf |
|
|
| \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml | 1.78 KB |
MD5:
221c89a6864b87a80374fa2750031774
SHA1: 8bd11313381e0f6d79fe640c4cf80f2b7c6dd48b SHA256: 737192827b0ccfcc11cbebe88972f10e3263ef68e360cb7d34ce894634945102 SSDeep: 24:gXQB0Be6MwjtbToCFMt3/Us0mwnkcPWOes5RcU5LZz9ETnyewUgamQJSx6ixRty/:mM6Rjtb0C21HTwnkWRFlhejy+LU6Es |
|
|
| \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi | 2.39 MB |
MD5:
dfa631eca19d2049def0813c67795367
SHA1: 8d42b115432d3c9d631cb292651b8b94648a5c7f SHA256: d914b03d007d082875ca7a6c79dace819a099d8785666cb07f122a3a895cf50c SSDeep: 49152:vNIDxihRZ2dfi18m90hzj3ixoUKgjs5oz8+YnFqKyxghZf2rXy9SB44qXc/Ks/gA:KxihRZ2dfJmOhzDixJLjs5oz8PExAf2X |
|
|
| \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml | 1.67 KB |
MD5:
33aba5bec1006aaa6e9aa1bee448c5bd
SHA1: a8aa8df1a51297cdabeefb808b9d40501d7cb7ab SHA256: 11e3ae780ea27b71c9c24130bfbf17718f541e02a7e3245bfbfb03143281fac3 SSDeep: 48:lVF2xoYUc/hZA+Dqssv50zDY8VuHm7Eoa:XAqYUi7U5OY8VuHm4x |
|
|
| \\?\C:\Boot\cs-CZ\$%%! NOTE ABOUT FILES -=!-.html | 3.80 KB |
MD5:
2de785d1c95cbccdfa87db48edcb7cae
SHA1: 72b977a464cc16fbe2a2be391b276752353cf009 SHA256: 4f3ace85ad315ccae5a828098d493b65e2ab0b0f9c13d0b0746f1056e7358be1 SSDeep: 48:CF5bDvFKFkDGAyORAeUcnyvUFkUMUW8feeyWe9fZhi3Lhhxmyk4r+yf6HD3MQC:qxDtxyK1Uc/MUW8feiYfZhehG4Jfga |
|
|
| \\?\C:\Boot\BCD.LOG1 | 0.25 KB |
MD5:
03f18ffb87691417b20dd7ed3c8ff321
SHA1: 2e092399add9b15462b36281860c84f621d9fd16 SHA256: 0fd66a6aa358db1fbc1f659e62fc64ea19ca3e3b5b2983b85cf6c208b9f23c45 SSDeep: 6:xv7ShRLN3HQ7GT6Q+Tfpz+SaXJAMApPCNtFdzGcW+l:xkNAy21LpQ6sN3d6cll |
|
|
| \\?\C:\Boot\BOOTSTAT.DAT | 64.25 KB |
MD5:
f80b8d8edf9ab436b266c3d91821c102
SHA1: 70075093913574e5ddcaa5671d3a46e85d90013b SHA256: 49f0fd5d8691008879a85ca4e86d70fe367ece1ce65140eb4e9e552b6c116fe2 SSDeep: 1536:cUhPOcd7UhPOcd7UhPOcd7UhPOcd7UhPOcd7UhPOcd7UhI:cUhPOcFUhPOcFUhPOcFUhPOcFUhPOcF+ |
|
|
| \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab_9c4rmT6TdKfuH9Ft_{alexbanan@tuta.io}.CORP | 10.00 MB |
MD5:
15a0fef8a1ade304c039f05a7912fe24
SHA1: 5c75410864654578995e6403198e337ce1eb47fc SHA256: cf531fd661768bb410cc89b2600c42873ee27fcac66c9e29c717eefd69788299 SSDeep: 196608:kkI0ShKgPbqrX+O+TtdjBU8PMIXiIJ5towFXg2j95eCp:knTK4WrtgBUwUq5mwFg2H7 |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab | 10.00 MB |
MD5:
f9a8a5aeaa1312e63b4ee59a8d53f748
SHA1: 877e3e73c306afef2bfd8e89ea30ed6de648e710 SHA256: b270b3b867f9fd7ce1dcedd10847f34b06cef027f88790bb56eea61cad0e9db3 SSDeep: 196608:uBT+FUVOwJ4WerdbzDDPMX81eg3hPol9y8mjlnzl7Z7yPpWfQbXa4Fxt5M:V66WuFz/w81nhsFmx5NyxbXDc |
|
|
| \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml | 2.49 KB |
MD5:
aa24cf4316545a6d76559617d9de4e81
SHA1: 84a8f9ddd37b0b64589418122e3c5af4dc664d33 SHA256: 0b92f62ee86a7acad8e983dfce98bff8297daec0405efdf1942993fe0df0fbd6 SSDeep: 48:uILJqxjAXXwT/n3+rK5ZB7Xr3lGoNBiliZqzKPCsFtV2tM7m:LLwRrXBN73iliUzKZteM6 |
|
|
| \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi | 2.39 MB |
MD5:
86c67c9ce448a0a992cdcd8fd37a227a
SHA1: 34da7b9e555263fabdef2e7388855e6a43d4ef04 SHA256: 674e94ed7e8e1f6381843dd39157b93eab518615362aaf89668caeabbee69d60 SSDeep: 49152:LNIDxihRZ2dfi18m90hzj3ixoUKgjs5oz8+YnFqKyxghZf2rXy9SB44qXcmH:2xihRZ2dfJmOhzDixJLjs5oz8PExAf2U |
|
|
| \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml | 1.78 KB |
MD5:
221c89a6864b87a80374fa2750031774
SHA1: 8bd11313381e0f6d79fe640c4cf80f2b7c6dd48b SHA256: 737192827b0ccfcc11cbebe88972f10e3263ef68e360cb7d34ce894634945102 SSDeep: 24:gXQB0Be6MwjtbToCFMt3/Us0mwnkcPWOes5RcU5LZz9ETnyewUgamQJSx6ixRty/:mM6Rjtb0C21HTwnkWRFlhejy+LU6Es |
|
|
| \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi | 2.39 MB |
MD5:
dfa631eca19d2049def0813c67795367
SHA1: 8d42b115432d3c9d631cb292651b8b94648a5c7f SHA256: d914b03d007d082875ca7a6c79dace819a099d8785666cb07f122a3a895cf50c SSDeep: 49152:vNIDxihRZ2dfi18m90hzj3ixoUKgjs5oz8+YnFqKyxghZf2rXy9SB44qXc/Ks/gA:KxihRZ2dfJmOhzDixJLjs5oz8PExAf2X |
|
|
| \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml | 1.67 KB |
MD5:
33aba5bec1006aaa6e9aa1bee448c5bd
SHA1: a8aa8df1a51297cdabeefb808b9d40501d7cb7ab SHA256: 11e3ae780ea27b71c9c24130bfbf17718f541e02a7e3245bfbfb03143281fac3 SSDeep: 48:lVF2xoYUc/hZA+Dqssv50zDY8VuHm7Eoa:XAqYUi7U5OY8VuHm4x |
|
|
| \\?\C:\Boot\BCD.LOG1 | 0.25 KB |
MD5:
03f18ffb87691417b20dd7ed3c8ff321
SHA1: 2e092399add9b15462b36281860c84f621d9fd16 SHA256: 0fd66a6aa358db1fbc1f659e62fc64ea19ca3e3b5b2983b85cf6c208b9f23c45 SSDeep: 6:xv7ShRLN3HQ7GT6Q+Tfpz+SaXJAMApPCNtFdzGcW+l:xkNAy21LpQ6sN3d6cll |
|
|
| \\?\C:\Boot\BOOTSTAT.DAT | 64.25 KB |
MD5:
f80b8d8edf9ab436b266c3d91821c102
SHA1: 70075093913574e5ddcaa5671d3a46e85d90013b SHA256: 49f0fd5d8691008879a85ca4e86d70fe367ece1ce65140eb4e9e552b6c116fe2 SSDeep: 1536:cUhPOcd7UhPOcd7UhPOcd7UhPOcd7UhPOcd7UhPOcd7UhI:cUhPOcFUhPOcFUhPOcFUhPOcFUhPOcF+ |
|
|
Host Behavior
File (2413)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | debug.log | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Boot\. | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\.. | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\BCD | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\BCD.LOG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\BCD.LOG1 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\BCD.LOG2 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\BOOTSTAT.DAT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\cs-CZ\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\cs-CZ\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\da-DK\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\da-DK\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\de-DE\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\de-DE\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\el-GR\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\el-GR\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\en-US\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\en-US\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\en-US\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\es-ES\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\es-ES\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\fi-FI\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\fi-FI\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\Fonts\chs_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\Fonts\cht_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\Fonts\jpn_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\Fonts\kor_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\Fonts\wgl4_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\Fonts\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\fr-FR\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\fr-FR\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\hu-HU\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\hu-HU\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\it-IT\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\it-IT\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\ja-JP\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\ja-JP\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\ko-KR\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\ko-KR\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\memtest.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\nb-NO\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\nb-NO\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\nl-NL\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\nl-NL\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\pl-PL\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\pl-PL\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\pt-BR\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\pt-BR\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\pt-PT\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\pt-PT\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\ru-RU\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\ru-RU\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\sv-SE\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\sv-SE\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\tr-TR\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\tr-TR\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\zh-CN\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\zh-CN\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\zh-HK\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\zh-HK\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\zh-TW\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\zh-TW\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Boot\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\bootmgr | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\BOOTSECT.BAK | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Config.Msi\. | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Config.Msi\.. | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\Config.Msi\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\hiberfil.sys | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\MSOCache\. | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\MSOCache\.. | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\MSOCache\All Users\. | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\MSOCache\All Users\.. | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\. | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\.. | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\$%%! NOTE ABOUT FILES -=!-.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\. | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\.. | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Move | \\?\C:\Boot\BCD.LOG1_9c4rmT6TdKfuH9Ft_{alexbanan@tuta.io}.CORP | source_filename = \\?\C:\Boot\BCD.LOG1 |
|
1 | |
| Move | \\?\C:\Boot\BCD.LOG2_9c4rmT6TdKfuH9Ft_{alexbanan@tuta.io}.CORP | source_filename = \\?\C:\Boot\BCD.LOG2 |
|
1 | |
| Move | \\?\C:\Boot\BOOTSTAT.DAT_9c4rmT6TdKfuH9Ft_{alexbanan@tuta.io}.CORP | source_filename = \\?\C:\Boot\BOOTSTAT.DAT |
|
1 | |
| Move | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab_9c4rmT6TdKfuH9Ft_{alexbanan@tuta.io}.CORP | source_filename = \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab |
|
1 | |
| Move | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi_9c4rmT6TdKfuH9Ft_{alexbanan@tuta.io}.CORP | source_filename = \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi |
|
1 | |
| Move | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml_9c4rmT6TdKfuH9Ft_{alexbanan@tuta.io}.CORP | source_filename = \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml |
|
1 | |
| Move | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml_9c4rmT6TdKfuH9Ft_{alexbanan@tuta.io}.CORP | source_filename = \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml |
|
1 | |
| Move | \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi_9c4rmT6TdKfuH9Ft_{alexbanan@tuta.io}.CORP | source_filename = \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi |
|
1 | |
| Move | \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml_9c4rmT6TdKfuH9Ft_{alexbanan@tuta.io}.CORP | source_filename = \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml |
|
1 | |
| Read | \\?\C:\Boot\BCD.LOG1 | size = 10240, size_out = 0 |
|
1 | |
| Read | \\?\C:\Boot\BCD.LOG2 | size = 10240, size_out = 0 |
|
1 | |
| Read | \\?\C:\Boot\BOOTSTAT.DAT | size = 10240, size_out = 10240 |
|
6 | |
| Read | \\?\C:\Boot\BOOTSTAT.DAT | size = 10240, size_out = 4096 |
|
1 | |
| Read | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab | size = 10240, size_out = 10240 |
|
249 | |
| Read | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi | size = 10240, size_out = 10240 |
|
244 | |
| Read | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi | size = 10240, size_out = 7680 |
|
1 | |
| Read | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml | size = 10240, size_out = 1565 |
|
1 | |
| Read | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml | size = 10240, size_out = 2296 |
|
1 | |
| Read | \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi | size = 10240, size_out = 10240 |
|
244 | |
| Read | \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi | size = 10240, size_out = 5120 |
|
1 | |
| Read | \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml | size = 10240, size_out = 1450 |
|
1 | |
| Read | \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab | size = 10240, size_out = 10240 |
|
249 | |
| Write | debug.log | size = 39 |
|
1 | |
| Write | debug.log | size = 45 |
|
6 | |
| Write | debug.log | size = 40 |
|
2 | |
| Write | debug.log | size = 46 |
|
5 | |
| Write | debug.log | size = 41 |
|
3 | |
| Write | debug.log | size = 50 |
|
4 | |
| Write | \\?\C:\Boot\BCD.LOG1 | size = 0 |
|
1 | |
| Write | \\?\C:\Boot\BCD.LOG1 | size = 256 |
|
1 | |
| Write | debug.log | size = 38 |
|
2 | |
| Write | \\?\C:\Boot\BCD.LOG2 | size = 0 |
|
1 | |
| Write | \\?\C:\Boot\BCD.LOG2 | size = 256 |
|
1 | |
| Write | \\?\C:\Boot\BOOTSTAT.DAT | size = 10240 |
|
6 | |
| Write | \\?\C:\Boot\BOOTSTAT.DAT | size = 4096 |
|
1 | |
| Write | \\?\C:\Boot\BOOTSTAT.DAT | size = 256 |
|
1 | |
| Write | debug.log | size = 42 |
|
1 | |
| Write | debug.log | size = 59 |
|
25 | |
| Write | debug.log | size = 63 |
|
24 | |
| Write | \\?\C:\Boot\cs-CZ\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\cs-CZ\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\cs-CZ\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\cs-CZ\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\cs-CZ\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\cs-CZ\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\da-DK\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\da-DK\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\da-DK\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\da-DK\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\da-DK\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\da-DK\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\de-DE\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\de-DE\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\de-DE\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\de-DE\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\de-DE\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\de-DE\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\el-GR\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\el-GR\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\el-GR\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\el-GR\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\el-GR\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\el-GR\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\en-US\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\en-US\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\en-US\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\en-US\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\en-US\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\en-US\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\es-ES\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\es-ES\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\es-ES\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\es-ES\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\es-ES\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\es-ES\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\fi-FI\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\fi-FI\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\fi-FI\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\fi-FI\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\fi-FI\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\fi-FI\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | debug.log | size = 56 |
|
4 | |
| Write | debug.log | size = 60 |
|
5 | |
| Write | debug.log | size = 57 |
|
1 | |
| Write | debug.log | size = 61 |
|
1 | |
| Write | \\?\C:\Boot\Fonts\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\Fonts\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\Fonts\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\Fonts\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\Fonts\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\Fonts\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\fr-FR\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\fr-FR\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\fr-FR\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\fr-FR\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\fr-FR\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\fr-FR\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\hu-HU\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\hu-HU\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\hu-HU\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\hu-HU\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\hu-HU\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\hu-HU\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\it-IT\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\it-IT\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\it-IT\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\it-IT\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\it-IT\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\it-IT\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\ja-JP\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\ja-JP\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\ja-JP\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\ja-JP\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\ja-JP\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\ja-JP\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\ko-KR\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\ko-KR\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\ko-KR\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\ko-KR\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\ko-KR\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\ko-KR\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | debug.log | size = 49 |
|
3 | |
| Write | debug.log | size = 53 |
|
2 | |
| Write | \\?\C:\Boot\nb-NO\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\nb-NO\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\nb-NO\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\nb-NO\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\nb-NO\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\nb-NO\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\nl-NL\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\nl-NL\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\nl-NL\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\nl-NL\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\nl-NL\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\nl-NL\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\pl-PL\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\pl-PL\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\pl-PL\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\pl-PL\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\pl-PL\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\pl-PL\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\pt-BR\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\pt-BR\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\pt-BR\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\pt-BR\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\pt-BR\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\pt-BR\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\pt-PT\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\pt-PT\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\pt-PT\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\pt-PT\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\pt-PT\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\pt-PT\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\ru-RU\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\ru-RU\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\ru-RU\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\ru-RU\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\ru-RU\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\ru-RU\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\sv-SE\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\sv-SE\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\sv-SE\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\sv-SE\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\sv-SE\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\sv-SE\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\tr-TR\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\tr-TR\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\tr-TR\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\tr-TR\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\tr-TR\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\tr-TR\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\zh-CN\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\zh-CN\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\zh-CN\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\zh-CN\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\zh-CN\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\zh-CN\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\zh-HK\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\zh-HK\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\zh-HK\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\zh-HK\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\zh-HK\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\zh-HK\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\zh-TW\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\zh-TW\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\zh-TW\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\zh-TW\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\zh-TW\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\zh-TW\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | \\?\C:\Boot\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Boot\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Boot\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Boot\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Boot\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Boot\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | debug.log | size = 44 |
|
2 | |
| Write | debug.log | size = 51 |
|
1 | |
| Write | debug.log | size = 52 |
|
1 | |
| Write | \\?\C:\Config.Msi\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\Config.Msi\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\Config.Msi\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\Config.Msi\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\Config.Msi\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\Config.Msi\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | debug.log | size = 43 |
|
1 | |
| Write | debug.log | size = 54 |
|
1 | |
| Write | debug.log | size = 94 |
|
3 | |
| Write | debug.log | size = 100 |
|
4 | |
| Write | debug.log | size = 95 |
|
2 | |
| Write | debug.log | size = 101 |
|
2 | |
| Write | debug.log | size = 104 |
|
1 | |
| Write | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab | size = 10240 |
|
249 | |
| Write | debug.log | size = 96 |
|
1 | |
| Write | debug.log | size = 99 |
|
1 | |
| Write | debug.log | size = 105 |
|
4 | |
| Write | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi | size = 10240 |
|
244 | |
| Write | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi | size = 7680 |
|
1 | |
| Write | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi | size = 256 |
|
1 | |
| Write | debug.log | size = 97 |
|
3 | |
| Write | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml | size = 1565 |
|
1 | |
| Write | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml | size = 256 |
|
1 | |
| Write | debug.log | size = 102 |
|
4 | |
| Write | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml | size = 2296 |
|
1 | |
| Write | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml | size = 256 |
|
1 | |
| Write | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\$%%! NOTE ABOUT FILES -=!-.html | size = 1607 |
|
1 | |
| Write | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\$%%! NOTE ABOUT FILES -=!-.html | size = 16 |
|
1 | |
| Write | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\$%%! NOTE ABOUT FILES -=!-.html | size = 1452 |
|
1 | |
| Write | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\$%%! NOTE ABOUT FILES -=!-.html | size = 17 |
|
2 | |
| Write | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\$%%! NOTE ABOUT FILES -=!-.html | size = 98 |
|
1 | |
| Write | \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\$%%! NOTE ABOUT FILES -=!-.html | size = 687 |
|
1 | |
| Write | debug.log | size = 110 |
|
2 | |
| Write | \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi | size = 10240 |
|
244 | |
| Write | \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi | size = 5120 |
|
1 | |
| Write | \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi | size = 256 |
|
1 | |
| Write | \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml | size = 1450 |
|
1 | |
| Write | \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml | size = 256 |
|
1 | |
| Write | \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab | size = 10240 |
|
249 |
Registry (1)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\sysnative\vssadmin.exe | os_pid = 0xae4, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 |
Module (2)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\start menu\programs\startup\yfekw5dmgyvjgc.exe | base_address = 0x80000 |
|
1 | |
| Get Filename | - | process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\start menu\programs\startup\yfekw5dmgyvjgc.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YFeKw5dmGYVjgc.exe, size = 260 |
|
1 |
Service (57)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = WinDefend |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = -1 (infinite) |
|
1 |
Process #3: cmd.exe
121
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c "C:\Users\5P5NRG~1\AppData\Local\Temp\1296.tmp.bat" |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:02:06, Reason: Child Process |
| Unmonitor | End Time: 00:02:10, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xad0 |
| Parent PID | 0xaac (c:\users\5p5nrgjn0js halpmcxz\desktop\%appdata%roamingmicrosoftwindowsstart menuprogramsstartup8gfg.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x003e0000 | 0x0049ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x0059ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x00727fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x008b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x01cbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001cc0000 | 0x01cc0000 | 0x02002fff | Pagefile Backed Memory | r |
|
|
|
- |
| cmd.exe | 0x49f80000 | 0x49fcbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x74d90000 | 0x74d97fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x74da0000 | 0x74dfbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x74e00000 | 0x74e3efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75270000 | 0x75276fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x753a0000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x753b0000 | 0x7540ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75410000 | 0x754acfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x756f0000 | 0x757effff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75a20000 | 0x75b2ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75b30000 | 0x75bcffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75d40000 | 0x75e0bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75e30000 | 0x75edbfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x762b0000 | 0x762c8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x762d0000 | 0x762d9fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76500000 | 0x7655ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x765f0000 | 0x76635fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772d0000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x773c0000 | 0x7744ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077450000 | 0x77450000 | 0x77549fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077550000 | 0x77550000 | 0x7766efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77850000 | 0x779cffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (74)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5P5NRG~1\AppData\Local\Temp\1296.tmp.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Create | C:\Users\5P5NRG~1\AppData\Local\Temp\1296.tmp.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\5P5NRG~1\AppData\Local\Temp\1296.tmp.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
3 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roamingroamingmicrosoftwindowsstart menuprogramsstartup8gfg.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\C:\Users\5p5NrGJn0jS HALPmcxz\AppData | type = file_attributes |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
2 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
2 | |
| Get Info | C:\Users\5P5NRG~1\AppData\Local\Temp\1296.tmp.bat | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5P5NRG~1\AppData\Local\Temp | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
13 | |
| Open | STD_INPUT_HANDLE | - |
|
7 | |
| Open | STD_INPUT_HANDLE | - |
|
12 | |
| Open | STD_ERROR_HANDLE | - |
|
6 | |
| Open | STD_INPUT_HANDLE | - |
|
8 | |
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 309 |
|
1 | |
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 298 |
|
1 | |
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 294 |
|
1 | |
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 183 |
|
1 | |
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 60 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 68 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 33 |
|
1 | |
| Delete | C:\Users\5P5NRG~1\AppData\Local\Temp\1296.tmp.bat | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (12)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ADVAPI32.dll | base_address = 0x75b30000 |
|
1 | |
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x49f80000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75a20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75a4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75a53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75a34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75a4a79d |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SaferIdentifyLevel, address_out = 0x75b52102 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SaferComputeTokenFromLevel, address_out = 0x75b53352 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SaferCloseLevel, address_out = 0x75b53825 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-04 14:40:10 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 136454 |
|
1 |
Environment (14)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
4 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming |
|
2 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 |
Process #4: vssadmin.exe
0
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\vssadmin.exe |
| Command Line | delete shadows /all /quiet |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:02:06, Reason: Child Process |
| Unmonitor | End Time: 00:02:31, Reason: Self Terminated |
| Monitor Duration | 00:00:25 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xae4 |
| Parent PID | 0xac8 (c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\start menu\programs\startup\yfekw5dmgyvjgc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AE8
0x
B24
0x
B28
0x
B2C
0x
B30
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| vssadmin.exe.mui | 0x000e0000 | 0x000ecfff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x00667fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x007f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x01bfffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c30000 | 0x01c30000 | 0x01caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001cd0000 | 0x01cd0000 | 0x01d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e40000 | 0x01e40000 | 0x01ebffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01ec0000 | 0x0218efff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000021e0000 | 0x021e0000 | 0x0225ffff | Private Memory | rw |
|
|
|
- |
| user32.dll | 0x77450000 | 0x77549fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77550000 | 0x7766efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77670000 | 0x77818fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff6000 | 0x7fff6000 | 0x7fff6fff | Private Memory | rw |
|
|
|
- |
| vssadmin.exe | 0xff940000 | 0xff96cfff | Memory Mapped File | rwx |
|
|
|
- |
| vss_ps.dll | 0x7fef3e60000 | 0x7fef3e73fff | Memory Mapped File | rwx |
|
|
|
- |
| vsstrace.dll | 0x7fef79b0000 | 0x7fef79c6fff | Memory Mapped File | rwx |
|
|
|
- |
| vssapi.dll | 0x7fef79d0000 | 0x7fef7b7ffff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x7fefb070000 | 0x7fefb088fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefcbb0000 | 0x7fefcbf6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefceb0000 | 0x7fefcec6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefd4b0000 | 0x7fefd4befff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x7fefd5a0000 | 0x7fefd5b3fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd920000 | 0x7fefd98afff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7fefdb10000 | 0x7fefdbaefff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7fefdbb0000 | 0x7fefdc86fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdc90000 | 0x7fefdcf6fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdd00000 | 0x7fefddc8fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7fefddf0000 | 0x7fefdff2fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7fefe000000 | 0x7fefe098fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefe0a0000 | 0x7fefe1a8fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7fefe330000 | 0x7fefe34efff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefe350000 | 0x7fefe35dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff740000 | 0x7feff81afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff820000 | 0x7feff94cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7feff950000 | 0x7feff97dfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feff990000 | 0x7feff990fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
