35df3d50c2233798348ef326d896ab457176a2a4767dd910f8e95033992a81ff (SHA256)
FKgcS.exe
Windows Exe (x86-64)
Created at 2019-02-06 23:21:00
Notifications (2/4)
Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.
The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.
The overall sleep time of all monitored processes was truncated from "47 minutes, 5 seconds" to "12 minutes, 40 seconds" to reveal dormant functionality.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: fkgcs.exe
65379
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\ciihmnxmn6ps\desktop\fkgcs.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\FKgcS.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:52, Reason: Analysis Target |
| Unmonitor | End Time: 00:04:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:49 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc80 |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
61C
0x
8A0
0x
E04
0x
DFC
0x
E20
0x
E10
0x
DE8
0x
E0C
0x
DF0
0x
DE4
0x
DBC
0x
F7C
0x
C94
0x
CB8
0x
CCC
0x
CA8
0x
764
0x
CDC
0x
CF0
0x
CC8
0x
D00
0x
114
0x
C78
0x
F18
0x
F1C
0x
D48
0x
D5C
0x
D44
0x
D38
0x
D34
0x
D88
0x
DA8
0x
DD0
0x
A00
0x
9F4
0x
B14
0x
A14
0x
8C0
0x
A0C
0x
224
0x
318
0x
34C
0x
338
0x
320
0x
F10
0x
274
0x
304
0x
DFC
0x
56C
0x
DE4
0x
A38
0x
924
0x
5E4
0x
580
0x
578
0x
5CC
0x
5D8
0x
E1C
0x
8D0
0x
2F4
0x
C84
0x
CA4
0x
EC
0x
9B8
0x
B90
0x
C44
0x
BA4
0x
9B4
0x
8E0
0x
B60
0x
F0
0x
DBC
0x
AE0
0x
C34
0x
C20
0x
ACC
0x
710
0x
414
0x
804
0x
454
0x
204
0x
8D4
0x
958
0x
BA8
0x
B70
0x
BAC
0x
B74
0x
F00
0x
D78
0x
D4C
0x
E34
0x
D40
0x
AF4
0x
D3C
0x
B84
0x
D64
0x
DCC
0x
D60
0x
D54
0x
DD4
0x
CE8
0x
CD0
0x
B20
0x
290
0x
530
0x
470
0x
D10
0x
D50
0x
CEC
0x
88C
0x
404
0x
5BC
0x
234
0x
F04
0x
DB0
0x
E4C
0x
EE4
0x
E18
0x
A10
0x
3DC
0x
B64
0x
230
0x
1A4
0x
FBC
0x
1F4
0x
FA8
0x
FB0
0x
FB4
0x
FB8
0x
FC8
0x
FD4
0x
F0C
0x
FAC
0x
910
0x
548
0x
FA4
0x
E00
0x
40
0x
8C4
0x
B3C
0x
F78
0x
F58
0x
2CC
0x
C58
0x
F44
0x
F7C
0x
784
0x
6B4
0x
C0C
0x
774
0x
EE8
0x
FE0
0x
AE8
0x
AC8
0x
E70
0x
E3C
0x
FEC
0x
7AC
0x
7B0
0x
7C8
0x
490
0x
770
0x
76C
0x
7CC
0x
950
0x
968
0x
7BC
0x
46C
0x
CE0
0x
CC4
0x
4D0
0x
418
0x
838
0x
AC4
0x
A84
0x
718
0x
DAC
0x
EF0
0x
D9C
0x
E28
0x
D84
0x
EF8
0x
E2C
0x
D70
0x
D80
0x
E24
0x
FF8
0x
E6C
0x
FF4
0x
FCC
0x
FE8
0x
FE4
0x
FDC
0x
E74
0x
FA0
0x
EDC
0x
FD8
0x
7A0
0x
F54
0x
C10
0x
CAC
0x
F90
0x
F70
0x
518
0x
270
0x
84
0x
200
0x
36C
0x
CA0
0x
248
0x
504
0x
2F0
0x
3C0
0x
41C
0x
C30
0x
C48
0x
ED0
0x
5C0
0x
954
0x
60C
0x
860
0x
510
0x
79C
0x
888
0x
90C
0x
C54
0x
C08
0x
C94
0x
2EC
0x
C8C
0x
820
0x
148
0x
C74
0x
4E8
0x
B24
0x
C90
0x
4F8
0x
524
0x
D2C
0x
5B8
0x
D18
0x
F5C
0x
C50
0x
C6C
0x
C60
0x
C38
0x
A70
0x
CC0
0x
CD4
0x
CE4
0x
FF0
0x
C24
0x
A6C
0x
CBC
0x
D30
0x
CCC
0x
D0C
0x
B08
0x
A24
0x
550
0x
85C
0x
AF8
0x
9F0
0x
798
0x
9F8
0x
81C
0x
554
0x
234
0x
618
0x
890
0x
DA4
0x
EFC
0x
DC8
0x
DB4
0x
ED8
0x
E14
0x
788
0x
E44
0x
51C
0x
878
0x
CD8
0x
C4C
0x
FC0
0x
1010
0x
1014
0x
1018
0x
101C
0x
1020
0x
1024
0x
1028
0x
102C
0x
1030
0x
1034
0x
1038
0x
103C
0x
1040
0x
1044
0x
1048
0x
104C
0x
1050
0x
1054
0x
1058
0x
105C
0x
1060
0x
1064
0x
1068
0x
106C
0x
1070
0x
1074
0x
1078
0x
107C
0x
1080
0x
1084
0x
1088
0x
108C
0x
1090
0x
1094
0x
1098
0x
10A0
0x
10A4
0x
10A8
0x
10AC
0x
10B0
0x
10B4
0x
10B8
0x
10BC
0x
10C0
0x
10C4
0x
10C8
0x
10D0
0x
10DC
0x
10E0
0x
10E4
0x
10E8
0x
10EC
0x
10F0
0x
10F4
0x
10F8
0x
10FC
0x
1100
0x
1104
0x
1108
0x
110C
0x
1110
0x
1114
0x
1118
0x
111C
0x
1120
0x
1124
0x
1128
0x
112C
0x
1130
0x
1134
0x
1138
0x
113C
0x
1140
0x
1144
0x
1148
0x
114C
0x
1150
0x
1154
0x
1158
0x
1160
0x
1164
0x
1168
0x
116C
0x
1170
0x
1174
0x
1178
0x
117C
0x
1180
0x
1184
0x
1188
0x
118C
0x
1190
0x
1194
0x
1198
0x
119C
0x
11A0
0x
11A4
0x
11A8
0x
11AC
0x
11B0
0x
11B4
0x
11BC
0x
11C0
0x
11C4
0x
11C8
0x
11CC
0x
11D4
0x
11D8
0x
11DC
0x
11E0
0x
11E4
0x
11E8
0x
11EC
0x
11F0
0x
11F4
0x
11F8
0x
11FC
0x
1210
0x
1214
0x
1218
0x
1220
0x
1224
0x
1228
0x
122C
0x
1230
0x
1234
0x
1238
0x
123C
0x
1240
0x
1244
0x
1248
0x
124C
0x
1250
0x
1254
0x
1258
0x
125C
0x
1260
0x
1264
0x
1268
0x
1270
0x
1274
0x
1278
0x
127C
0x
1280
0x
1284
0x
1288
0x
128C
0x
1290
0x
1294
0x
1298
0x
129C
0x
12A0
0x
12A4
0x
12A8
0x
12AC
0x
12B0
0x
12B4
0x
12B8
0x
12BC
0x
12C0
0x
12C4
0x
12C8
0x
12CC
0x
12D0
0x
12D4
0x
12D8
0x
12DC
0x
12E0
0x
12E4
0x
12E8
0x
12EC
0x
12F0
0x
12F4
0x
12F8
0x
12FC
0x
1304
0x
1308
0x
130C
0x
1310
0x
1314
0x
1318
0x
131C
0x
1320
0x
1324
0x
1328
0x
132C
0x
1330
0x
1334
0x
1338
0x
133C
0x
1344
0x
1348
0x
134C
0x
1350
0x
1354
0x
1358
0x
135C
0x
1360
0x
1364
0x
1368
0x
136C
0x
1378
0x
137C
0x
1380
0x
1384
0x
1388
0x
138C
0x
1390
0x
1394
0x
1398
0x
139C
0x
13A0
0x
13A4
0x
13A8
0x
13AC
0x
13B0
0x
13B4
0x
13B8
0x
13C0
0x
13C4
0x
13C8
0x
13CC
0x
13D0
0x
13D4
0x
13D8
0x
13DC
0x
13E0
0x
13E4
0x
13E8
0x
13EC
0x
13F0
0x
13F4
0x
13F8
0x
13FC
0x
DB4
0x
1004
0x
10D8
0x
115C
0x
DD8
0x
100C
0x
10D4
0x
10CC
0x
F08
0x
109C
0x
1008
0x
648
0x
11D0
0x
11B8
0x
11FC
0x
120C
0x
A40
0x
7B8
0x
E5C
0x
1404
0x
1410
0x
1414
0x
1418
0x
141C
0x
1420
0x
1424
0x
1428
0x
142C
0x
1430
0x
1434
0x
1438
0x
143C
0x
1440
0x
1444
0x
1448
0x
144C
0x
1450
0x
1454
0x
1458
0x
145C
0x
1460
0x
1464
0x
1468
0x
146C
0x
1470
0x
1474
0x
1478
0x
147C
0x
1480
0x
1484
0x
1488
0x
148C
0x
1490
0x
1494
0x
1498
0x
149C
0x
14A0
0x
14A4
0x
14A8
0x
14AC
0x
14B0
0x
14B4
0x
14B8
0x
14BC
0x
14C0
0x
14C4
0x
14C8
0x
14CC
0x
14D0
0x
14D4
0x
14D8
0x
14DC
0x
14E0
0x
14E4
0x
14E8
0x
14EC
0x
14F0
0x
14F4
0x
14F8
0x
14FC
0x
1500
0x
1504
0x
1508
0x
150C
0x
1510
0x
1514
0x
1518
0x
151C
0x
1520
0x
1524
0x
1528
0x
152C
0x
1530
0x
1534
0x
1538
0x
153C
0x
1540
0x
1544
0x
1548
0x
154C
0x
1550
0x
1554
0x
1558
0x
155C
0x
1560
0x
1564
0x
1568
0x
156C
0x
1570
0x
1574
0x
1578
0x
157C
0x
1580
0x
1584
0x
1588
0x
158C
0x
1590
0x
1594
0x
1598
0x
159C
0x
15A0
0x
15A4
0x
15A8
0x
15AC
0x
15B0
0x
15B4
0x
15B8
0x
15BC
0x
15C0
0x
15C4
0x
15C8
0x
15CC
0x
15D0
0x
15D4
0x
15D8
0x
15DC
0x
15E0
0x
15E4
0x
15E8
0x
15EC
0x
15F0
0x
15F4
0x
15F8
0x
15FC
0x
1600
0x
1604
0x
1608
0x
160C
0x
1610
0x
1614
0x
1618
0x
161C
0x
1620
0x
1624
0x
1628
0x
162C
0x
1630
0x
1634
0x
1638
0x
163C
0x
1640
0x
1644
0x
1648
0x
164C
0x
1650
0x
1654
0x
1658
0x
165C
0x
1660
0x
1664
0x
1668
0x
166C
0x
1670
0x
1674
0x
1678
0x
167C
0x
1680
0x
1684
0x
1688
0x
168C
0x
1690
0x
1694
0x
1698
0x
169C
0x
16A0
0x
16A4
0x
16A8
0x
16AC
0x
16B0
0x
16B4
0x
16B8
0x
16BC
0x
16C0
0x
16C4
0x
16C8
0x
16CC
0x
16D0
0x
16D4
0x
16D8
0x
16DC
0x
16E0
0x
16E4
0x
16E8
0x
16EC
0x
16F0
0x
16F4
0x
16F8
0x
16FC
0x
1700
0x
1704
0x
1708
0x
170C
0x
1710
0x
1714
0x
171C
0x
1720
0x
1724
0x
1728
0x
172C
0x
1730
0x
1734
0x
1738
0x
173C
0x
1740
0x
1744
0x
1748
0x
1758
0x
175C
0x
1760
0x
1774
0x
1778
0x
177C
0x
1784
0x
1788
0x
178C
0x
1790
0x
1794
0x
1798
0x
179C
0x
17A0
0x
17A4
0x
17A8
0x
17AC
0x
17B0
0x
17B4
0x
17B8
0x
17BC
0x
17C0
0x
17C4
0x
17C8
0x
17CC
0x
17D0
0x
17D4
0x
17D8
0x
17DC
0x
17E0
0x
17E4
0x
17E8
0x
17EC
0x
17F0
0x
17F4
0x
17F8
0x
17FC
0x
C9C
0x
8B8
0x
1374
0x
13BC
0x
1204
0x
126C
0x
1370
0x
1340
0x
1200
0x
1300
0x
121C
0x
C68
0x
900
0x
1208
0x
140C
0x
1408
0x
528
0x
610
0x
F24
0x
CF4
0x
F2C
0x
F84
0x
7C0
0x
75C
0x
173C
0x
1768
0x
174C
0x
1718
0x
1804
0x
180C
0x
1810
0x
181C
0x
1820
0x
1824
0x
1828
0x
182C
0x
1830
0x
1834
0x
1838
0x
1844
0x
1848
0x
184C
0x
1850
0x
1854
0x
1858
0x
185C
0x
1860
0x
1864
0x
1868
0x
1870
0x
1874
0x
1878
0x
187C
0x
1880
0x
1884
0x
1888
0x
188C
0x
1890
0x
1894
0x
1898
0x
189C
0x
18A0
0x
18A4
0x
18A8
0x
18AC
0x
18B0
0x
18B4
0x
18B8
0x
18BC
0x
18C0
0x
18C4
0x
18C8
0x
18CC
0x
18D0
0x
18D4
0x
18D8
0x
18DC
0x
18E0
0x
18E4
0x
18E8
0x
18EC
0x
18F0
0x
18F4
0x
18F8
0x
1938
0x
193C
0x
1940
0x
1944
0x
1948
0x
194C
0x
1950
0x
1954
0x
1958
0x
195C
0x
1960
0x
1964
0x
1968
0x
196C
0x
1970
0x
1974
0x
1978
0x
197C
0x
1980
0x
1984
0x
1988
0x
198C
0x
1994
0x
1998
0x
199C
0x
19A0
0x
19A4
0x
19A8
0x
19AC
0x
19B0
0x
19B4
0x
19B8
0x
19BC
0x
19C0
0x
19C4
0x
19C8
0x
19CC
0x
19D0
0x
19D4
0x
19D8
0x
19DC
0x
19E0
0x
19E4
0x
19E8
0x
19EC
0x
19F0
0x
19F4
0x
19F8
0x
19FC
0x
1A00
0x
1A04
0x
1A08
0x
1A0C
0x
1A10
0x
1A14
0x
1A18
0x
1A1C
0x
1A20
0x
1A24
0x
1A28
0x
1A2C
0x
1A30
0x
1A34
0x
1A38
0x
1A3C
0x
1A40
0x
1A44
0x
1A48
0x
1A4C
0x
1A50
0x
1A54
0x
1A58
0x
1A5C
0x
1A60
0x
1A64
0x
1A68
0x
1A6C
0x
1A70
0x
1A74
0x
1A78
0x
1A7C
0x
1A80
0x
1A84
0x
1A88
0x
1A8C
0x
1A90
0x
1A94
0x
1A98
0x
1A9C
0x
1AA0
0x
1AA4
0x
1AA8
0x
1AAC
0x
1AB0
0x
1AB4
0x
1AB8
0x
1ABC
0x
1AC0
0x
1AC4
0x
1AC8
0x
1ACC
0x
1AD0
0x
1AD4
0x
1AD8
0x
1ADC
0x
1AE0
0x
1AE4
0x
1AE8
0x
1AEC
0x
1AF0
0x
1AF4
0x
1AF8
0x
1AFC
0x
1B00
0x
1B04
0x
1B08
0x
1B0C
0x
1B10
0x
1B14
0x
1B18
0x
1B1C
0x
1B20
0x
1B24
0x
1B28
0x
1B2C
0x
1B30
0x
1B34
0x
1B38
0x
1B3C
0x
1B40
0x
1B44
0x
1B48
0x
1B4C
0x
1B50
0x
1B54
0x
1B58
0x
1B5C
0x
1B60
0x
1B64
0x
1B68
0x
1B6C
0x
1B70
0x
1B74
0x
1B78
0x
1B7C
0x
1B80
0x
1B84
0x
1B98
0x
1B9C
0x
1BA4
0x
1BAC
0x
1BB0
0x
1BB4
0x
1BBC
0x
1BC0
0x
1BC8
0x
1BD4
0x
1BD8
0x
1BE0
0x
1BE4
0x
1BE8
0x
1BEC
0x
1BF0
0x
1BF4
0x
1BF8
0x
1BFC
0x
1818
0x
183C
0x
1814
0x
1808
0x
1780
0x
1750
0x
176C
0x
186C
0x
1764
0x
1840
0x
18F8
0x
1908
0x
1920
0x
1924
0x
1900
0x
1910
0x
191C
0x
1918
0x
1914
0x
18FC
0x
190C
0x
1904
0x
D98
0x
55C
0x
858
0x
D0
0x
8AC
0x
EE0
0x
BF8
0x
D7C
0x
F14
0x
C70
0x
DC0
0x
DE0
0x
628
0x
DEC
0x
D58
0x
2BC
0x
208
0x
1FC
0x
3D8
0x
1B4
0x
614
0x
300
0x
344
0x
434
0x
2C0
0x
558
0x
73C
0x
ED4
0x
864
0x
E54
0x
778
0x
5EC
0x
634
0x
740
0x
43C
0x
6EC
0x
584
0x
7A8
0x
14C
0x
FC
0x
380
0x
478
0x
4F4
0x
484
0x
48C
0x
91C
0x
69C
0x
65C
0x
F48
0x
728
0x
1B24
0x
1B94
0x
594
0x
604
0x
464
0x
440
0x
D90
0x
1770
0x
424
0x
1BDC
0x
45C
0x
1990
0x
1754
0x
1C04
0x
1C08
0x
1C0C
0x
1C10
0x
1C14
0x
1C18
0x
1C1C
0x
1C20
0x
1C24
0x
1C28
0x
1C2C
0x
1C30
0x
1C34
0x
1C38
0x
1C3C
0x
1C40
0x
1C44
0x
1C48
0x
1C4C
0x
1C50
0x
1C54
0x
1C58
0x
1C5C
0x
1C60
0x
1C64
0x
1C68
0x
1C6C
0x
1C70
0x
1C74
0x
1C78
0x
1C7C
0x
1C80
0x
1C84
0x
1C88
0x
1C8C
0x
1C90
0x
1C94
0x
1C98
0x
1C9C
0x
1CA0
0x
1CA4
0x
1CA8
0x
1CAC
0x
1CB0
0x
1CB4
0x
1CB8
0x
1CBC
0x
1CC0
0x
1CC4
0x
1CC8
0x
1CD4
0x
1CD8
0x
1CDC
0x
1CE0
0x
1CE4
0x
1CE8
0x
1CEC
0x
1CF0
0x
1CF4
0x
1CF8
0x
1CFC
0x
1D00
0x
1D04
0x
1D08
0x
1D0C
0x
1D10
0x
1D14
0x
1D18
0x
1D1C
0x
1D20
0x
1D24
0x
1D28
0x
1D2C
0x
1D30
0x
1D34
0x
1D38
0x
1D3C
0x
1D40
0x
1D44
0x
1D48
0x
1D4C
0x
1D50
0x
1D54
0x
1D58
0x
1D5C
0x
1D60
0x
1D64
0x
1D68
0x
1D6C
0x
1D70
0x
1D74
0x
1D78
0x
1D7C
0x
1D80
0x
1D8C
0x
1D90
0x
1D98
0x
1D9C
0x
1DA4
0x
1DA8
0x
1DAC
0x
1DB0
0x
1DB4
0x
1DB8
0x
1DBC
0x
1DC0
0x
1DC4
0x
1DC8
0x
1DCC
0x
1DD0
0x
1DD4
0x
1DD8
0x
1DDC
0x
1DE0
0x
1DE4
0x
1DE8
0x
1DEC
0x
1DF0
0x
1DF4
0x
1DF8
0x
1DFC
0x
1E00
0x
1E04
0x
1E08
0x
1E0C
0x
1E10
0x
1E14
0x
1E18
0x
1E1C
0x
1E20
0x
1E24
0x
1E28
0x
1E2C
0x
1E30
0x
1E34
0x
1E38
0x
1E3C
0x
1E44
0x
1E48
0x
1E4C
0x
1E50
0x
1E54
0x
1E58
0x
1E5C
0x
1E60
0x
1E64
0x
1E68
0x
1E6C
0x
1E70
0x
1E74
0x
1E78
0x
1E7C
0x
1E80
0x
1E84
0x
1E88
0x
1E8C
0x
1E90
0x
1E94
0x
1E98
0x
1E9C
0x
1EA0
0x
1EA4
0x
1EA8
0x
1EAC
0x
1EB0
0x
1EB4
0x
1EB8
0x
1EBC
0x
1EC0
0x
1EC4
0x
1ECC
0x
1ED0
0x
1ED4
0x
1ED8
0x
1EDC
0x
1EE0
0x
1EE4
0x
1EE8
0x
1EEC
0x
1EF0
0x
1EF4
0x
1EF8
0x
1EFC
0x
1F00
0x
1F04
0x
1F08
0x
1F0C
0x
1F10
0x
1F14
0x
1F18
0x
1F1C
0x
1F20
0x
1F24
0x
1F28
0x
1F2C
0x
1F38
0x
1F3C
0x
1F40
0x
1F44
0x
1F48
0x
1F4C
0x
1F50
0x
1F54
0x
1F58
0x
1F5C
0x
1F60
0x
1F64
0x
1F68
0x
1F6C
0x
1F70
0x
1F74
0x
1F78
0x
1F7C
0x
1F80
0x
1F84
0x
1F88
0x
1F8C
0x
1F90
0x
1F94
0x
1F98
0x
1F9C
0x
1FA0
0x
1FA4
0x
1FA8
0x
1FE0
0x
1FE4
0x
1FE8
0x
1FEC
0x
1FF0
0x
1FF4
0x
1FF8
0x
1FFC
0x
D94
0x
1CB0
0x
1D88
0x
FFC
0x
420
0x
870
0x
620
0x
F8C
0x
1BD0
0x
DC4
0x
1BCC
0x
1B8C
0x
1BA8
0x
1BC4
0x
1BB8
0x
1B88
0x
1BA0
0x
1B90
0x
8EC
0x
508
0x
AB4
0x
948
0x
22C
0x
CFC
0x
7C4
0x
1F34
0x
1FAC
0x
1CD0
0x
1F30
0x
1DA0
0x
1EC8
0x
1CCC
0x
1FC0
0x
1E40
0x
1D94
0x
1D84
0x
1FD0
0x
1FB4
0x
1FD4
0x
1FC8
0x
1FB0
0x
1FCC
0x
1FC4
0x
1FBC
0x
874
0x
F60
0x
2004
0x
2008
0x
200C
0x
2010
0x
2014
0x
2018
0x
201C
0x
2020
0x
2024
0x
2028
0x
202C
0x
2030
0x
2034
0x
2038
0x
203C
0x
2040
0x
2044
0x
2048
0x
204C
0x
2050
0x
2054
0x
2058
0x
205C
0x
2060
0x
2064
0x
2068
0x
206C
0x
2070
0x
2074
0x
2078
0x
207C
0x
2080
0x
2084
0x
2088
0x
208C
0x
2090
0x
2094
0x
20A0
0x
20A4
0x
20B0
0x
20B4
0x
20B8
0x
20BC
0x
20C4
0x
20C8
0x
20CC
0x
20D0
0x
20D4
0x
20D8
0x
20DC
0x
20E4
0x
20E8
0x
20EC
0x
20F0
0x
20F4
0x
20F8
0x
20FC
0x
2100
0x
2104
0x
2108
0x
210C
0x
2110
0x
2114
0x
2118
0x
211C
0x
2120
0x
2124
0x
2128
0x
212C
0x
2130
0x
2134
0x
2138
0x
213C
0x
2140
0x
2144
0x
2148
0x
214C
0x
2150
0x
2154
0x
2158
0x
215C
0x
2160
0x
2164
0x
2168
0x
216C
0x
2170
0x
2174
0x
2178
0x
217C
0x
2180
0x
2184
0x
2188
0x
218C
0x
2190
0x
2194
0x
2198
0x
219C
0x
21A0
0x
21A4
0x
21A8
0x
21AC
0x
21B0
0x
21B4
0x
21B8
0x
21C0
0x
21C4
0x
21C8
0x
21CC
0x
21D0
0x
21D4
0x
21D8
0x
21DC
0x
21E0
0x
21E4
0x
21E8
0x
21EC
0x
21F0
0x
21F4
0x
21F8
0x
21FC
0x
2200
0x
2204
0x
2208
0x
220C
0x
2210
0x
2214
0x
2218
0x
221C
0x
2220
0x
2224
0x
2228
0x
222C
0x
2230
0x
2234
0x
2238
0x
223C
0x
2240
0x
2244
0x
2248
0x
224C
0x
2254
0x
2258
0x
225C
0x
2270
0x
2274
0x
2278
0x
227C
0x
2280
0x
2284
0x
2288
0x
228C
0x
2290
0x
2294
0x
2298
0x
229C
0x
22A0
0x
22A4
0x
22A8
0x
22AC
0x
22B0
0x
22B4
0x
22B8
0x
22BC
0x
22C0
0x
22C4
0x
22CC
0x
22D0
0x
22D4
0x
22D8
0x
22E0
0x
22E4
0x
22E8
0x
22EC
0x
22F0
0x
22F4
0x
22F8
0x
22FC
0x
2308
0x
230C
0x
2310
0x
2314
0x
2318
0x
231C
0x
2320
0x
2324
0x
2328
0x
232C
0x
2330
0x
2334
0x
2338
0x
233C
0x
2340
0x
2344
0x
2348
0x
234C
0x
2350
0x
2354
0x
2358
0x
235C
0x
2360
0x
2364
0x
2368
0x
236C
0x
2370
0x
2374
0x
237C
0x
2380
0x
2384
0x
2388
0x
238C
0x
2390
0x
2394
0x
2398
0x
239C
0x
23A0
0x
23A4
0x
23A8
0x
23AC
0x
23B0
0x
23B4
0x
23B8
0x
23BC
0x
23C0
0x
23C4
0x
23C8
0x
23CC
0x
23D0
0x
23D4
0x
23D8
0x
23DC
0x
23E0
0x
23E4
0x
23E8
0x
23EC
0x
23F0
0x
23F4
0x
23F8
0x
23FC
0x
2054
0x
C64
0x
B6C
0x
ECC
0x
20AC
0x
EC0
0x
EB8
0x
EBC
0x
EB4
0x
EB0
0x
EAC
0x
EA8
0x
EA4
0x
EA0
0x
E9C
0x
E98
0x
E94
0x
E8C
0x
E90
0x
E88
0x
E84
0x
E7C
0x
E80
0x
CB4
0x
E78
0x
21F8
0x
F64
0x
226C
0x
2404
0x
2408
0x
2410
0x
2414
0x
2418
0x
241C
0x
2420
0x
2424
0x
2428
0x
242C
0x
2430
0x
2434
0x
2440
0x
2444
0x
2448
0x
244C
0x
2450
0x
2454
0x
2458
0x
2464
0x
2468
0x
246C
0x
2470
0x
2474
0x
2478
0x
247C
0x
2480
0x
2484
0x
2488
0x
248C
0x
2490
0x
2494
0x
2498
0x
249C
0x
24A0
0x
24A4
0x
24A8
0x
24AC
0x
24B0
0x
24B8
0x
24BC
0x
24C0
0x
24C4
0x
24C8
0x
24CC
0x
24D0
0x
24D4
0x
24D8
0x
24DC
0x
24E0
0x
24E4
0x
24E8
0x
24EC
0x
24F0
0x
24F4
0x
24F8
0x
24FC
0x
2500
0x
2504
0x
2508
0x
2510
0x
2514
0x
2518
0x
251C
0x
2520
0x
2524
0x
2528
0x
252C
0x
2530
0x
2534
0x
2538
0x
253C
0x
2540
0x
2544
0x
2548
0x
254C
0x
2550
0x
2554
0x
2558
0x
255C
0x
2560
0x
2564
0x
2568
0x
256C
0x
2570
0x
2574
0x
2578
0x
257C
0x
2580
0x
2584
0x
2588
0x
258C
0x
2590
0x
2594
0x
2598
0x
259C
0x
25A0
0x
25A4
0x
25A8
0x
25AC
0x
25B0
0x
25B4
0x
25B8
0x
25BC
0x
25C0
0x
25C4
0x
25D8
0x
2608
0x
260C
0x
2610
0x
2614
0x
2618
0x
261C
0x
2620
0x
2624
0x
2628
0x
262C
0x
2630
0x
2634
0x
2638
0x
263C
0x
2640
0x
2644
0x
2648
0x
264C
0x
2650
0x
2654
0x
2658
0x
265C
0x
2660
0x
2664
0x
2668
0x
266C
0x
2670
0x
2674
0x
2678
0x
267C
0x
2680
0x
2684
0x
2688
0x
268C
0x
2690
0x
2694
0x
2698
0x
269C
0x
26A0
0x
26A4
0x
26A8
0x
26AC
0x
26B0
0x
26B4
0x
26B8
0x
26BC
0x
26C0
0x
26C4
0x
26C8
0x
26CC
0x
26D0
0x
26D4
0x
26D8
0x
26DC
0x
26E0
0x
26EC
0x
26F0
0x
26F4
0x
26F8
0x
26FC
0x
2700
0x
2704
0x
2708
0x
270C
0x
2710
0x
2714
0x
2718
0x
271C
0x
2720
0x
272C
0x
2730
0x
2734
0x
2738
0x
273C
0x
2740
0x
2748
0x
2750
0x
2754
0x
2758
0x
275C
0x
2764
0x
2768
0x
276C
0x
2770
0x
2774
0x
2778
0x
277C
0x
2780
0x
2784
0x
278C
0x
2790
0x
27A0
0x
27A4
0x
27A8
0x
27AC
0x
27B0
0x
27B4
0x
27B8
0x
27BC
0x
27C0
0x
27C4
0x
27C8
0x
27CC
0x
27D0
0x
27D4
0x
2304
0x
EC8
0x
209C
0x
20E0
0x
2250
0x
21BC
0x
20C0
0x
2460
0x
24B4
0x
2264
0x
22DC
0x
EC4
0x
2378
0x
22C8
0x
243C
0x
25C8
0x
25CC
0x
240C
0x
25D4
0x
2300
0x
2098
0x
20A8
0x
245C
0x
2260
0x
2268
0x
25D8
0x
25E8
0x
87C
0x
2600
0x
2604
0x
25E0
0x
25F0
0x
25F8
0x
25F4
0x
25EC
0x
25FC
0x
25DC
0x
25E4
0x
26B4
0x
2728
0x
2798
0x
279C
0x
26E8
0x
274C
0x
2788
0x
2760
0x
2744
0x
2794
0x
26E4
0x
2724
0x
27D4
0x
27E4
0x
27FC
0x
F28
0x
27DC
0x
27EC
0x
27F4
0x
27F0
0x
27E8
0x
27F8
0x
27D8
0x
27E0
0x
2804
0x
2808
0x
280C
0x
2810
0x
2814
0x
2818
0x
281C
0x
2820
0x
2824
0x
2828
0x
282C
0x
2830
0x
2834
0x
2838
0x
283C
0x
2840
0x
2844
0x
2848
0x
284C
0x
2850
0x
2854
0x
2858
0x
285C
0x
2860
0x
2864
0x
2868
0x
286C
0x
2870
0x
2874
0x
2878
0x
287C
0x
2880
0x
2884
0x
2888
0x
288C
0x
2890
0x
2894
0x
2898
0x
289C
0x
28A0
0x
28A4
0x
28A8
0x
28AC
0x
28B0
0x
28B4
0x
28B8
0x
28BC
0x
28C0
0x
28C4
0x
28C8
0x
28CC
0x
28D0
0x
28D4
0x
28D8
0x
28DC
0x
28E0
0x
28E4
0x
28E8
0x
28EC
0x
28F0
0x
28F4
0x
28F8
0x
28FC
0x
2900
0x
2904
0x
2908
0x
290C
0x
2910
0x
2914
0x
2918
0x
291C
0x
2920
0x
2924
0x
2928
0x
292C
0x
2930
0x
2934
0x
2938
0x
293C
0x
2940
0x
2944
0x
2948
0x
294C
0x
2950
0x
2954
0x
2958
0x
295C
0x
2960
0x
2964
0x
2968
0x
296C
0x
2970
0x
2974
0x
2978
0x
297C
0x
2980
0x
2984
0x
2988
0x
298C
0x
2990
0x
2994
0x
2998
0x
299C
0x
29A0
0x
29A4
0x
29A8
0x
29AC
0x
29B0
0x
29B4
0x
29B8
0x
29BC
0x
29C0
0x
29C4
0x
29C8
0x
29CC
0x
29D0
0x
29D4
0x
29D8
0x
29DC
0x
29E0
0x
29E4
0x
29E8
0x
29EC
0x
29F0
0x
29F4
0x
29F8
0x
29FC
0x
2A00
0x
2A04
0x
2A08
0x
2A0C
0x
2A10
0x
2A14
0x
2A18
0x
2A1C
0x
2A20
0x
2A24
0x
2A28
0x
2A2C
0x
2A30
0x
2A34
0x
2A38
0x
2A3C
0x
2A40
0x
2A44
0x
2A48
0x
2A4C
0x
2A50
0x
2A54
0x
2A58
0x
2A5C
0x
2A60
0x
2A64
0x
2A68
0x
2A6C
0x
2A70
0x
2A74
0x
2A78
0x
2A7C
0x
2A80
0x
2A84
0x
2A88
0x
2A8C
0x
2A90
0x
2A94
0x
2A98
0x
2A9C
0x
2AA0
0x
2AA4
0x
2AA8
0x
2AAC
0x
2AB0
0x
2AB4
0x
2AB8
0x
2ABC
0x
2AC0
0x
2AC4
0x
2AC8
0x
2ACC
0x
2AD0
0x
2AD4
0x
2AD8
0x
2ADC
0x
2AE0
0x
2AE4
0x
2AE8
0x
2AEC
0x
2AF0
0x
2AF4
0x
2AF8
0x
2AFC
0x
2B00
0x
2B04
0x
2B08
0x
2B0C
0x
2B10
0x
2B14
0x
2B18
0x
2B1C
0x
2B20
0x
2B24
0x
2B28
0x
2B2C
0x
2B30
0x
2B34
0x
2B38
0x
2B3C
0x
2B40
0x
2B44
0x
2B48
0x
2B4C
0x
2B50
0x
2B54
0x
2B58
0x
2B5C
0x
2B60
0x
2B64
0x
2B68
0x
2B6C
0x
2B70
0x
2B74
0x
2B78
0x
2B7C
0x
2B80
0x
2B84
0x
2B88
0x
2B8C
0x
2B90
0x
2B94
0x
2B98
0x
2B9C
0x
2BA0
0x
2BA4
0x
2BA8
0x
2BAC
0x
2BB0
0x
2BB4
0x
2BB8
0x
2BBC
0x
2BC0
0x
2BC4
0x
2BC8
0x
2BCC
0x
2BD0
0x
2BD4
0x
2BD8
0x
2BDC
0x
2BE0
0x
2BE4
0x
2BE8
0x
2BEC
0x
2BF0
0x
2BF4
0x
2BF8
0x
2BFC
0x
2C04
0x
2C08
0x
2C0C
0x
2C10
0x
2C14
0x
2C18
0x
2C1C
0x
2C20
0x
2C24
0x
2C54
0x
2C58
0x
2C5C
0x
2C60
0x
2C64
0x
2C68
0x
2C6C
0x
2C70
0x
2C74
0x
2C78
0x
2C7C
0x
2C80
0x
2C84
0x
2C88
0x
2C8C
0x
2C90
0x
2C94
0x
2C98
0x
2C9C
0x
2CA0
0x
2CA4
0x
2CA8
0x
2CAC
0x
2CB0
0x
2CB4
0x
2CB8
0x
2CBC
0x
2CC0
0x
2CC4
0x
2CC8
0x
2CCC
0x
2CD0
0x
2CD4
0x
2CD8
0x
2CDC
0x
2CE0
0x
2CE4
0x
2CE8
0x
2CEC
0x
2CF0
0x
2CF4
0x
2CF8
0x
2CFC
0x
2D00
0x
2D04
0x
2D08
0x
2D0C
0x
2D10
0x
2D14
0x
2D18
0x
2D1C
0x
2D20
0x
2D24
0x
2D28
0x
2D2C
0x
2D30
0x
2D34
0x
2D38
0x
2D3C
0x
2D40
0x
2D44
0x
2D48
0x
2D4C
0x
2D50
0x
2D54
0x
2D58
0x
2D5C
0x
2D60
0x
2D64
0x
2D68
0x
2D6C
0x
2D70
0x
2D74
0x
2D78
0x
2D7C
0x
2D80
0x
2D84
0x
2D88
0x
2D8C
0x
2D90
0x
2D94
0x
2D98
0x
2D9C
0x
2DA0
0x
2DA4
0x
2DA8
0x
2DAC
0x
2DB0
0x
2DB4
0x
2DB8
0x
2DBC
0x
2DC0
0x
2DC4
0x
2DC8
0x
2DCC
0x
2DD0
0x
2DD4
0x
2DD8
0x
2DDC
0x
2DE0
0x
2DE4
0x
2DE8
0x
2DEC
0x
2DF0
0x
2DF4
0x
2DF8
0x
2DFC
0x
2E00
0x
2E04
0x
2E08
0x
2E0C
0x
2E10
0x
2E14
0x
2E18
0x
2E1C
0x
2E20
0x
2E24
0x
2E28
0x
2E2C
0x
2E30
0x
2E34
0x
2E38
0x
2E3C
0x
2E40
0x
2E44
0x
2E48
0x
2E4C
0x
2E50
0x
2E54
0x
2E58
0x
2E5C
0x
2E60
0x
2E64
0x
2E68
0x
2E6C
0x
2E70
0x
2E74
0x
2E78
0x
2E7C
0x
2E80
0x
2E84
0x
2E88
0x
2E8C
0x
2E90
0x
2E94
0x
2E98
0x
2E9C
0x
2EA0
0x
2EA4
0x
2EA8
0x
2EAC
0x
2EB0
0x
2EB4
0x
2EB8
0x
2EBC
0x
2EC0
0x
2EC4
0x
2EC8
0x
2ECC
0x
2ED0
0x
2ED4
0x
2ED8
0x
2EDC
0x
2EE0
0x
2EE4
0x
2EE8
0x
2EEC
0x
2EF0
0x
2EF4
0x
2EF8
0x
2EFC
0x
2F00
0x
2F04
0x
2F08
0x
2F0C
0x
2F10
0x
2F14
0x
2F18
0x
2F1C
0x
2F20
0x
2F24
0x
2F28
0x
2F2C
0x
2F30
0x
2F34
0x
2F38
0x
2F3C
0x
2F40
0x
2F44
0x
2F48
0x
2F4C
0x
2F50
0x
2F54
0x
2F58
0x
2F5C
0x
2F60
0x
2F64
0x
2F68
0x
2F6C
0x
2F70
0x
2F74
0x
2F78
0x
2F7C
0x
2F80
0x
2F84
0x
2F88
0x
2F8C
0x
2F90
0x
2F94
0x
2F98
0x
2F9C
0x
2FA0
0x
2FA4
0x
2FA8
0x
2FAC
0x
2FB0
0x
2FB4
0x
2FB8
0x
2FBC
0x
2FC0
0x
2FC4
0x
2FC8
0x
2FCC
0x
2FD0
0x
2FD4
0x
2FD8
0x
2FDC
0x
2FE0
0x
2FE4
0x
2FE8
0x
2FEC
0x
2FF0
0x
2FF4
0x
2FF8
0x
2FFC
0x
F74
0x
2C24
0x
2C34
0x
2C4C
0x
2C50
0x
2C2C
0x
2C3C
0x
2C44
0x
2C40
0x
2C38
0x
F30
0x
3004
0x
3008
0x
300C
0x
3010
0x
3014
0x
3018
0x
301C
0x
3020
0x
3024
0x
3028
0x
302C
0x
3030
0x
3034
0x
3038
0x
303C
0x
3040
0x
3044
0x
3048
0x
304C
0x
3050
0x
3054
0x
3058
0x
305C
0x
3060
0x
3064
0x
3068
0x
306C
0x
3070
0x
3074
0x
3078
0x
307C
0x
3080
0x
3084
0x
3088
0x
308C
0x
3090
0x
3094
0x
3098
0x
309C
0x
30A0
0x
30A4
0x
30A8
0x
30AC
0x
30B0
0x
30B4
0x
30B8
0x
30BC
0x
30C0
0x
30C4
0x
30C8
0x
30CC
0x
30D0
0x
30D4
0x
30D8
0x
30DC
0x
30E0
0x
30E4
0x
30E8
0x
30EC
0x
30F0
0x
30F4
0x
30F8
0x
30FC
0x
3100
0x
3104
0x
3108
0x
310C
0x
3110
0x
3114
0x
3118
0x
311C
0x
3120
0x
3124
0x
3128
0x
312C
0x
3130
0x
3134
0x
3138
0x
313C
0x
3140
0x
3144
0x
3148
0x
314C
0x
3150
0x
3154
0x
3158
0x
315C
0x
3160
0x
3164
0x
3168
0x
316C
0x
3170
0x
3174
0x
3178
0x
317C
0x
3180
0x
3184
0x
3188
0x
318C
0x
3190
0x
3194
0x
3198
0x
319C
0x
31A0
0x
31A4
0x
31A8
0x
31AC
0x
31B0
0x
31B4
0x
31B8
0x
31BC
0x
31C0
0x
31C4
0x
31C8
0x
31CC
0x
31D0
0x
31D4
0x
31D8
0x
31DC
0x
31E8
0x
31EC
0x
31F0
0x
31F4
0x
31F8
0x
31FC
0x
3200
0x
3204
0x
3208
0x
320C
0x
3210
0x
3214
0x
3218
0x
321C
0x
3220
0x
3224
0x
3228
0x
322C
0x
3230
0x
3234
0x
3238
0x
323C
0x
3248
0x
324C
0x
3250
0x
3254
0x
3258
0x
325C
0x
3260
0x
3264
0x
3268
0x
326C
0x
3270
0x
3274
0x
3278
0x
327C
0x
3280
0x
3284
0x
3288
0x
328C
0x
3290
0x
3294
0x
3298
0x
329C
0x
32A0
0x
32A4
0x
32A8
0x
32AC
0x
32B0
0x
32B8
0x
32BC
0x
32C0
0x
32C4
0x
32C8
0x
32CC
0x
32D0
0x
32D4
0x
32D8
0x
32DC
0x
32E0
0x
32E4
0x
32E8
0x
32EC
0x
32F0
0x
3318
0x
331C
0x
3320
0x
3324
0x
3328
0x
332C
0x
3334
0x
3338
0x
333C
0x
3340
0x
3344
0x
3348
0x
334C
0x
3350
0x
3354
0x
3358
0x
335C
0x
3360
0x
3364
0x
3368
0x
336C
0x
3370
0x
3374
0x
3378
0x
3380
0x
3384
0x
3388
0x
338C
0x
3390
0x
3394
0x
3398
0x
339C
0x
33A0
0x
33A4
0x
33A8
0x
33AC
0x
33B0
0x
33B4
0x
33B8
0x
33BC
0x
33C0
0x
33C4
0x
33C8
0x
33CC
0x
33D0
0x
33D4
0x
33D8
0x
33DC
0x
33E0
0x
33E4
0x
33E8
0x
33EC
0x
33F0
0x
33F4
0x
33F8
0x
33FC
0x
2C48
0x
2C28
0x
2C30
0x
32B8
0x
330C
0x
3404
0x
3408
0x
340C
0x
3410
0x
3414
0x
3418
0x
341C
0x
3420
0x
3424
0x
3428
0x
342C
0x
3434
0x
3438
0x
343C
0x
3440
0x
3444
0x
3448
0x
344C
0x
3450
0x
3454
0x
3458
0x
345C
0x
3468
0x
346C
0x
3470
0x
3474
0x
3478
0x
347C
0x
3480
0x
3484
0x
3488
0x
348C
0x
3490
0x
3494
0x
3498
0x
349C
0x
34A0
0x
34A4
0x
34A8
0x
34AC
0x
34B0
0x
34B4
0x
34B8
0x
34BC
0x
34C0
0x
34C4
0x
34C8
0x
34CC
0x
34D0
0x
34D4
0x
34D8
0x
34DC
0x
34E0
0x
34E8
0x
34EC
0x
34F0
0x
34F4
0x
34F8
0x
34FC
0x
3500
0x
3504
0x
3508
0x
350C
0x
3510
0x
3514
0x
3518
0x
351C
0x
3520
0x
3524
0x
3528
0x
352C
0x
3530
0x
3534
0x
3538
0x
353C
0x
3540
0x
3544
0x
3548
0x
354C
0x
3550
0x
3554
0x
3558
0x
3560
0x
3564
0x
3568
0x
356C
0x
3570
0x
3574
0x
3578
0x
357C
0x
3580
0x
3584
0x
3588
0x
358C
0x
3590
0x
3594
0x
3598
0x
359C
0x
35A0
0x
35A4
0x
35A8
0x
35AC
0x
35B0
0x
35B4
0x
35B8
0x
35BC
0x
35C0
0x
35C4
0x
35C8
0x
35CC
0x
35D0
0x
35D4
0x
35D8
0x
35DC
0x
35E0
0x
35E4
0x
35E8
0x
35EC
0x
35F0
0x
35F4
0x
35F8
0x
35FC
0x
3600
0x
3604
0x
3608
0x
360C
0x
3610
0x
3614
0x
3618
0x
361C
0x
3620
0x
3624
0x
3628
0x
362C
0x
3630
0x
3634
0x
3638
0x
363C
0x
3640
0x
3644
0x
3648
0x
364C
0x
3650
0x
3654
0x
3658
0x
365C
0x
3660
0x
3664
0x
3668
0x
366C
0x
3670
0x
3674
0x
3678
0x
367C
0x
3680
0x
3684
0x
3688
0x
368C
0x
3690
0x
3694
0x
3698
0x
369C
0x
36A0
0x
36A4
0x
36A8
0x
36AC
0x
36B0
0x
36B4
0x
36C0
0x
36C4
0x
36C8
0x
36CC
0x
36D0
0x
36D4
0x
36D8
0x
36DC
0x
36E0
0x
36E4
0x
36E8
0x
36EC
0x
36F0
0x
36F4
0x
36F8
0x
36FC
0x
3700
0x
3704
0x
3708
0x
370C
0x
3710
0x
3714
0x
3718
0x
371C
0x
3720
0x
3724
0x
3728
0x
372C
0x
3730
0x
3734
0x
3738
0x
373C
0x
3740
0x
3744
0x
3748
0x
374C
0x
3750
0x
3754
0x
3758
0x
376C
0x
3760
0x
3778
0x
377C
0x
3780
0x
3784
0x
3788
0x
378C
0x
3790
0x
3794
0x
3798
0x
379C
0x
37A0
0x
37A4
0x
37A8
0x
37AC
0x
37B0
0x
37B4
0x
37B8
0x
37BC
0x
37C0
0x
37C4
0x
37C8
0x
37CC
0x
37D0
0x
37D4
0x
37D8
0x
37DC
0x
37E0
0x
37E4
0x
37E8
0x
37EC
0x
37F0
0x
37F4
0x
37FC
0x
3804
0x
3808
0x
380C
0x
3810
0x
3814
0x
3818
0x
381C
0x
3820
0x
3824
0x
3828
0x
382C
0x
3830
0x
3834
0x
3838
0x
383C
0x
3840
0x
3848
0x
384C
0x
3850
0x
3854
0x
3858
0x
385C
0x
3860
0x
3864
0x
3868
0x
386C
0x
3870
0x
3874
0x
3878
0x
387C
0x
3880
0x
3884
0x
3888
0x
388C
0x
389C
0x
38A0
0x
38A4
0x
38A8
0x
38AC
0x
38BC
0x
38C0
0x
38C4
0x
38C8
0x
38CC
0x
38D0
0x
38D4
0x
38D8
0x
38DC
0x
38E0
0x
38E4
0x
38EC
0x
38F0
0x
38F4
0x
38F8
0x
38FC
0x
3900
0x
3904
0x
3908
0x
390C
0x
3910
0x
3914
0x
3918
0x
391C
0x
3920
0x
3924
0x
3928
0x
392C
0x
3930
0x
3934
0x
3938
0x
393C
0x
3940
0x
3944
0x
3948
0x
394C
0x
3950
0x
3954
0x
3958
0x
395C
0x
3960
0x
3964
0x
3968
0x
396C
0x
3970
0x
3974
0x
3978
0x
397C
0x
3980
0x
3984
0x
3988
0x
398C
0x
3990
0x
3994
0x
3998
0x
399C
0x
39A0
0x
39A8
0x
39AC
0x
39B0
0x
39B4
0x
39B8
0x
39BC
0x
39C0
0x
39C4
0x
39C8
0x
39CC
0x
39D0
0x
39D4
0x
39D8
0x
39DC
0x
39E0
0x
39E4
0x
39E8
0x
39EC
0x
39F0
0x
39F4
0x
39F8
0x
39FC
0x
3A00
0x
3A04
0x
3A08
0x
3A0C
0x
3A10
0x
3A14
0x
3A18
0x
3A1C
0x
3A24
0x
3A28
0x
3A2C
0x
3A30
0x
3A34
0x
3A38
0x
3A3C
0x
3A40
0x
3A4C
0x
3A50
0x
3A54
0x
3A58
0x
3A5C
0x
3A60
0x
3A64
0x
3A68
0x
3A6C
0x
3A70
0x
3A74
0x
3A78
0x
3A7C
0x
3A80
0x
3A84
0x
3A88
0x
3A8C
0x
3A90
0x
3A94
0x
3A98
0x
3A9C
0x
3AA0
0x
3AA4
0x
3AA8
0x
3AAC
0x
3AB0
0x
3AB4
0x
3AB8
0x
3ABC
0x
3AC0
0x
3AC4
0x
3AC8
0x
3ACC
0x
3AD0
0x
3AD4
0x
3AD8
0x
3ADC
0x
3AE0
0x
3AE4
0x
3AE8
0x
3AEC
0x
3AF0
0x
3AF4
0x
3AF8
0x
3AFC
0x
3B00
0x
3B04
0x
3B08
0x
3B0C
0x
3B10
0x
3B14
0x
3B18
0x
3B1C
0x
3B20
0x
3B24
0x
3B28
0x
3B2C
0x
3B30
0x
3B34
0x
3B38
0x
3B3C
0x
3B40
0x
3B44
0x
3B48
0x
3B50
0x
3B54
0x
3B58
0x
3B5C
0x
3B60
0x
3B64
0x
3B68
0x
3B6C
0x
3B70
0x
3B74
0x
3B78
0x
3B7C
0x
3B80
0x
3B84
0x
3B88
0x
3B8C
0x
3B90
0x
3B94
0x
3B98
0x
3B9C
0x
3BA0
0x
3BA4
0x
3BA8
0x
3BAC
0x
3BB0
0x
3BB4
0x
3BB8
0x
3BBC
0x
3BC0
0x
3BC4
0x
3BC8
0x
3BCC
0x
3BD0
0x
3BD4
0x
3BD8
0x
3BDC
0x
3BE0
0x
3BE4
0x
3BE8
0x
3BEC
0x
3BF0
0x
3BF4
0x
3BF8
0x
3BFC
0x
376C
0x
38B4
0x
3464
0x
355C
0x
3460
0x
3304
0x
3330
0x
3430
0x
3300
0x
337C
0x
3314
0x
3308
0x
3C04
0x
3C08
0x
3C0C
0x
3C10
0x
3C14
0x
3C18
0x
3C1C
0x
3C20
0x
3C24
0x
3C28
0x
3C2C
0x
3C30
0x
3C34
0x
3C38
0x
3C3C
0x
3C40
0x
3C44
0x
3C48
0x
3C4C
0x
3C50
0x
3C54
0x
3C58
0x
3C5C
0x
3C60
0x
3C64
0x
3C68
0x
3C6C
0x
3C70
0x
3C74
0x
3C78
0x
3C7C
0x
3C80
0x
3C84
0x
3C88
0x
3C8C
0x
3C90
0x
3C94
0x
3C98
0x
3C9C
0x
3CA0
0x
3CA4
0x
3CA8
0x
3CAC
0x
3CB0
0x
3CB4
0x
3CB8
0x
3CBC
0x
3CC0
0x
3CC4
0x
3CC8
0x
3CCC
0x
3CD0
0x
3CD4
0x
3CD8
0x
3CDC
0x
3CE0
0x
3CE4
0x
3CE8
0x
3CEC
0x
3CF0
0x
3CF4
0x
3CF8
0x
3CFC
0x
3D00
0x
3D04
0x
3D08
0x
3D0C
0x
3D10
0x
3D14
0x
3D18
0x
3D1C
0x
3D20
0x
3D24
0x
3D28
0x
3D2C
0x
3D30
0x
3D34
0x
3D38
0x
3D3C
0x
3D40
0x
3D44
0x
3D48
0x
3D4C
0x
3D50
0x
3D54
0x
3D58
0x
3D5C
0x
3D60
0x
3D64
0x
3D68
0x
3D6C
0x
3D70
0x
3D74
0x
3D78
0x
3D7C
0x
3D80
0x
3D84
0x
3D88
0x
3D8C
0x
3D90
0x
3D94
0x
3D98
0x
3D9C
0x
3DA0
0x
3DA4
0x
3DA8
0x
3DAC
0x
3DB0
0x
3DB4
0x
3DB8
0x
3DBC
0x
3DC0
0x
3DC4
0x
3DC8
0x
3DCC
0x
3DD0
0x
3DD4
0x
3DD8
0x
3DDC
0x
3DE0
0x
3DE4
0x
3DE8
0x
3DEC
0x
3DF0
0x
3DF4
0x
3DF8
0x
3DFC
0x
3E00
0x
3E04
0x
3E08
0x
3E0C
0x
3E10
0x
3E14
0x
3E18
0x
3E1C
0x
3E20
0x
3E24
0x
3E28
0x
3E2C
0x
3E30
0x
3E34
0x
3E38
0x
3E3C
0x
3E40
0x
3E44
0x
3E48
0x
3E4C
0x
3E50
0x
3E54
0x
3E58
0x
3E5C
0x
3E60
0x
3E64
0x
3E68
0x
3E6C
0x
3E70
0x
3E74
0x
3E78
0x
3E7C
0x
3E80
0x
3E84
0x
3E88
0x
3E8C
0x
3E90
0x
3E94
0x
3E98
0x
3E9C
0x
3EA0
0x
3EA4
0x
3EA8
0x
3EAC
0x
3EB0
0x
3EB4
0x
3EB8
0x
3EBC
0x
3EC0
0x
3EC4
0x
3EC8
0x
3ECC
0x
3ED0
0x
3ED4
0x
3ED8
0x
3EDC
0x
3EE0
0x
3EE4
0x
3EE8
0x
3EEC
0x
3EF0
0x
3EF4
0x
3EF8
0x
3EFC
0x
3F00
0x
3F04
0x
3F08
0x
3F0C
0x
3F10
0x
3F14
0x
3F18
0x
3F1C
0x
3F20
0x
3F24
0x
3F28
0x
3F2C
0x
3F30
0x
3F34
0x
3F38
0x
3F3C
0x
3F40
0x
3F44
0x
3F48
0x
3F4C
0x
3F50
0x
3F54
0x
3F58
0x
3F5C
0x
3F60
0x
3F64
0x
3F68
0x
3F6C
0x
3F70
0x
3F74
0x
3F78
0x
3F7C
0x
3F80
0x
3F84
0x
3F88
0x
3F8C
0x
3F90
0x
3F94
0x
3F98
0x
3F9C
0x
3FA0
0x
3FA4
0x
3FA8
0x
3FAC
0x
3FB0
0x
3FB4
0x
3FB8
0x
3FBC
0x
3FC0
0x
3FC4
0x
3FC8
0x
3FCC
0x
3FD0
0x
3FD4
0x
3FD8
0x
3FDC
0x
3FE0
0x
3FE4
0x
3FE8
0x
3FEC
0x
3FF0
0x
3FF4
0x
3FF8
0x
3FFC
0x
4004
0x
4008
0x
400C
0x
4010
0x
4014
0x
4018
0x
401C
0x
4020
0x
4024
0x
4028
0x
402C
0x
4030
0x
4034
0x
4038
0x
403C
0x
4040
0x
4044
0x
4048
0x
404C
0x
4050
0x
4054
0x
4058
0x
405C
0x
4060
0x
4064
0x
4068
0x
406C
0x
4070
0x
4074
0x
4078
0x
407C
0x
4080
0x
4084
0x
4088
0x
408C
0x
4090
0x
4094
0x
4098
0x
409C
0x
40A0
0x
40A4
0x
40A8
0x
40AC
0x
40B0
0x
40B4
0x
40B8
0x
40BC
0x
40C0
0x
40C4
0x
40C8
0x
40CC
0x
40D0
0x
40D4
0x
40D8
0x
40DC
0x
40E0
0x
40E4
0x
40E8
0x
40EC
0x
40F0
0x
40F4
0x
40F8
0x
40FC
0x
4100
0x
4104
0x
4108
0x
410C
0x
4110
0x
4114
0x
4118
0x
411C
0x
4120
0x
4124
0x
4128
0x
412C
0x
4130
0x
4134
0x
4138
0x
413C
0x
4140
0x
4144
0x
4148
0x
414C
0x
4150
0x
4154
0x
4158
0x
415C
0x
4160
0x
4164
0x
4168
0x
416C
0x
4170
0x
4174
0x
4178
0x
417C
0x
4180
0x
4184
0x
4188
0x
418C
0x
4190
0x
4194
0x
4198
0x
419C
0x
41A0
0x
41A4
0x
41A8
0x
41AC
0x
41B0
0x
41B4
0x
41B8
0x
41BC
0x
41C0
0x
41C4
0x
41C8
0x
41CC
0x
41D0
0x
41D4
0x
41D8
0x
41DC
0x
41E0
0x
41E4
0x
41E8
0x
41EC
0x
41F0
0x
41F4
0x
41F8
0x
41FC
0x
4200
0x
4204
0x
4208
0x
420C
0x
4210
0x
4214
0x
4218
0x
421C
0x
4220
0x
4224
0x
4228
0x
422C
0x
4230
0x
4234
0x
4238
0x
423C
0x
4240
0x
4244
0x
4248
0x
424C
0x
4250
0x
4254
0x
4258
0x
425C
0x
4260
0x
4264
0x
4268
0x
426C
0x
4270
0x
4274
0x
4278
0x
427C
0x
4280
0x
4284
0x
4288
0x
428C
0x
4290
0x
4294
0x
4298
0x
429C
0x
42A0
0x
42A4
0x
42A8
0x
42AC
0x
42B0
0x
42B4
0x
42B8
0x
42BC
0x
42C0
0x
42C4
0x
42C8
0x
42CC
0x
42D0
0x
42D4
0x
42D8
0x
42DC
0x
42E0
0x
42E4
0x
42E8
0x
42EC
0x
42F0
0x
42F4
0x
42F8
0x
42FC
0x
4300
0x
4304
0x
4308
0x
430C
0x
4310
0x
4314
0x
4318
0x
431C
0x
4320
0x
4324
0x
4328
0x
432C
0x
4330
0x
4334
0x
4338
0x
433C
0x
4340
0x
4344
0x
4348
0x
434C
0x
4350
0x
4354
0x
4358
0x
435C
0x
4360
0x
4364
0x
4368
0x
436C
0x
4370
0x
4374
0x
4378
0x
437C
0x
4380
0x
4384
0x
4388
0x
438C
0x
4390
0x
4394
0x
4398
0x
439C
0x
43A0
0x
43A4
0x
43A8
0x
43AC
0x
43B0
0x
43B4
0x
43B8
0x
43BC
0x
43C0
0x
43C4
0x
43C8
0x
43CC
0x
43D0
0x
43D4
0x
43D8
0x
43DC
0x
43E0
0x
43E4
0x
43E8
0x
43EC
0x
43F0
0x
43F4
0x
43F8
0x
43FC
0x
3A48
0x
3B4C
0x
3A44
0x
3894
0x
38E8
0x
3A20
0x
3890
0x
39A4
0x
38B8
0x
38B0
0x
4404
0x
4408
0x
440C
0x
4410
0x
4414
0x
4418
0x
441C
0x
4420
0x
4424
0x
4428
0x
442C
0x
4430
0x
4434
0x
4438
0x
443C
0x
4440
0x
4444
0x
4448
0x
444C
0x
4450
0x
4454
0x
4458
0x
445C
0x
4460
0x
4464
0x
4468
0x
446C
0x
4470
0x
4474
0x
4478
0x
447C
0x
4480
0x
4484
0x
4488
0x
448C
0x
4490
0x
4494
0x
4498
0x
449C
0x
44A0
0x
44A4
0x
44A8
0x
44AC
0x
44B0
0x
44B4
0x
44B8
0x
44BC
0x
44C0
0x
44C4
0x
44C8
0x
44CC
0x
44D0
0x
44D4
0x
44D8
0x
44EC
0x
44F0
0x
44F4
0x
44F8
0x
44FC
0x
4500
0x
4504
0x
4508
0x
450C
0x
4510
0x
4514
0x
4518
0x
451C
0x
4520
0x
4524
0x
4528
0x
452C
0x
4530
0x
4534
0x
4538
0x
453C
0x
4540
0x
4544
0x
4548
0x
454C
0x
4558
0x
455C
0x
4560
0x
4564
0x
4568
0x
456C
0x
4570
0x
4574
0x
4578
0x
457C
0x
4580
0x
4584
0x
4588
0x
458C
0x
4590
0x
4594
0x
4598
0x
459C
0x
45A4
0x
45A8
0x
45AC
0x
45B0
0x
45B4
0x
45B8
0x
45BC
0x
45C0
0x
45C4
0x
45C8
0x
45CC
0x
45D0
0x
45D4
0x
45D8
0x
45DC
0x
45E0
0x
45E4
0x
45E8
0x
45EC
0x
45F0
0x
45F8
0x
45FC
0x
4600
0x
4604
0x
4608
0x
460C
0x
4610
0x
4614
0x
4618
0x
461C
0x
4620
0x
4624
0x
4628
0x
462C
0x
4630
0x
4634
0x
4638
0x
463C
0x
4640
0x
4644
0x
4648
0x
464C
0x
4650
0x
4654
0x
4658
0x
465C
0x
4660
0x
4664
0x
4668
0x
466C
0x
4670
0x
4674
0x
4678
0x
467C
0x
4680
0x
4684
0x
4688
0x
468C
0x
4690
0x
4694
0x
4698
0x
469C
0x
46A0
0x
46A4
0x
46A8
0x
46AC
0x
46B0
0x
46B4
0x
46B8
0x
46BC
0x
46C0
0x
46C4
0x
46C8
0x
46CC
0x
46D4
0x
46D8
0x
46DC
0x
46E0
0x
46E4
0x
46E8
0x
46EC
0x
46F0
0x
46F4
0x
46F8
0x
46FC
0x
4700
0x
4704
0x
4708
0x
470C
0x
4710
0x
4714
0x
4718
0x
471C
0x
4720
0x
4724
0x
4728
0x
472C
0x
4730
0x
4734
0x
4738
0x
473C
0x
4740
0x
4744
0x
4748
0x
474C
0x
4750
0x
4754
0x
4758
0x
475C
0x
4760
0x
4764
0x
4768
0x
4770
0x
4774
0x
4778
0x
477C
0x
4780
0x
4784
0x
4788
0x
478C
0x
4790
0x
4794
0x
4798
0x
479C
0x
47A0
0x
47A4
0x
47A8
0x
47AC
0x
47B0
0x
47B4
0x
47B8
0x
47BC
0x
47C0
0x
47C4
0x
47C8
0x
47CC
0x
47D0
0x
47D4
0x
47D8
0x
47E4
0x
47E8
0x
47EC
0x
47F0
0x
47F4
0x
47F8
0x
47FC
0x
43C4
0x
DF0
0x
E0C
0x
4554
0x
4804
0x
4808
0x
480C
0x
4810
0x
4814
0x
4818
0x
481C
0x
4820
0x
4824
0x
4828
0x
482C
0x
4830
0x
4834
0x
4838
0x
483C
0x
4840
0x
4844
0x
4848
0x
484C
0x
4850
0x
4854
0x
4858
0x
485C
0x
4860
0x
4864
0x
4868
0x
486C
0x
4870
0x
4874
0x
4878
0x
487C
0x
4880
0x
4884
0x
4888
0x
488C
0x
4890
0x
4894
0x
4898
0x
489C
0x
48A4
0x
48A8
0x
48AC
0x
48B0
0x
48B4
0x
48B8
0x
48BC
0x
48C0
0x
48C4
0x
48C8
0x
48CC
0x
48D0
0x
48D4
0x
48D8
0x
48DC
0x
48E0
0x
48E4
0x
48E8
0x
48EC
0x
48F0
0x
48F4
0x
48F8
0x
48FC
0x
4900
0x
4904
0x
4908
0x
490C
0x
4910
0x
4914
0x
4918
0x
491C
0x
4920
0x
4924
0x
4928
0x
492C
0x
4930
0x
4934
0x
4938
0x
493C
0x
4940
0x
4944
0x
4948
0x
494C
0x
4950
0x
4954
0x
4958
0x
495C
0x
4960
0x
4964
0x
4968
0x
496C
0x
4970
0x
4974
0x
4978
0x
497C
0x
4980
0x
4984
0x
4988
0x
498C
0x
4990
0x
4994
0x
4998
0x
499C
0x
49A0
0x
49A4
0x
49A8
0x
49AC
0x
49B0
0x
49B4
0x
49B8
0x
49BC
0x
49C0
0x
49C4
0x
49C8
0x
49CC
0x
49D0
0x
49D4
0x
49D8
0x
49DC
0x
49E0
0x
49E4
0x
49E8
0x
49EC
0x
49F0
0x
49F4
0x
49F8
0x
49FC
0x
4A00
0x
4A04
0x
4A08
0x
4A0C
0x
4A10
0x
4A14
0x
4A18
0x
4A1C
0x
4A20
0x
4A24
0x
4A28
0x
4A2C
0x
4A30
0x
4A34
0x
4A38
0x
4A3C
0x
4A40
0x
4A44
0x
4A48
0x
4A4C
0x
4A50
0x
4A54
0x
4A58
0x
4A5C
0x
4A60
0x
4A64
0x
4A68
0x
4A6C
0x
4A70
0x
4A74
0x
4A78
0x
4A7C
0x
4A80
0x
4A84
0x
4A88
0x
4A8C
0x
4A90
0x
4A94
0x
4A98
0x
4A9C
0x
4AA0
0x
4AA4
0x
4AA8
0x
4AAC
0x
4AB0
0x
4AB4
0x
4AB8
0x
4ABC
0x
4AC0
0x
4AC4
0x
4AC8
0x
4ACC
0x
4AD0
0x
4AD4
0x
4AD8
0x
4ADC
0x
4AE0
0x
4AE4
0x
4AE8
0x
4AEC
0x
4AF0
0x
4AF4
0x
4AF8
0x
4AFC
0x
4B00
0x
4B04
0x
4B10
0x
4B14
0x
4B18
0x
4B1C
0x
4B20
0x
4B24
0x
4B28
0x
4B2C
0x
4B30
0x
4B34
0x
4B38
0x
4B3C
0x
4B40
0x
4B44
0x
4B48
0x
4B4C
0x
4B50
0x
4B54
0x
4B58
0x
4B5C
0x
4B60
0x
4B64
0x
4B68
0x
4B74
0x
4B78
0x
4B7C
0x
4B80
0x
4B84
0x
4B88
0x
4B8C
0x
4B90
0x
4B94
0x
4B98
0x
4B9C
0x
4BA0
0x
4BA4
0x
4BA8
0x
4BAC
0x
4BB0
0x
4BB4
0x
4BB8
0x
4BBC
0x
4BC0
0x
4BC4
0x
4BC8
0x
4BCC
0x
4BD0
0x
4BD4
0x
4BD8
0x
4BDC
0x
4BE0
0x
4BE4
0x
4BE8
0x
4BEC
0x
4BF0
0x
4BF4
0x
4BF8
0x
4BFC
0x
F6C
0x
F38
0x
4C04
0x
4C08
0x
4C0C
0x
4C10
0x
4C14
0x
4C18
0x
4C1C
0x
4C20
0x
4C24
0x
4C28
0x
4C2C
0x
4C30
0x
4C38
0x
4C3C
0x
4C40
0x
4C44
0x
4C48
0x
4C4C
0x
4C50
0x
4C54
0x
4C58
0x
4C5C
0x
4C60
0x
4C64
0x
4C68
0x
4C6C
0x
4C70
0x
4C74
0x
4C78
0x
4C7C
0x
4C80
0x
4C84
0x
4C88
0x
4C8C
0x
4C90
0x
4C94
0x
4C98
0x
4C9C
0x
4CA0
0x
4CA4
0x
4CA8
0x
4CAC
0x
4CB0
0x
4CB4
0x
4CB8
0x
4CBC
0x
4CC0
0x
4CC4
0x
4CC8
0x
4CCC
0x
4CD0
0x
4CD4
0x
4CD8
0x
4CDC
0x
4CE0
0x
4CE4
0x
4CE8
0x
4CEC
0x
4CF0
0x
4CF4
0x
4CF8
0x
4CFC
0x
4D00
0x
4D04
0x
4D08
0x
4D0C
0x
4D10
0x
4D14
0x
4D18
0x
4D20
0x
4D24
0x
4D28
0x
4D2C
0x
4D30
0x
4D34
0x
4D38
0x
4D3C
0x
4D40
0x
4D44
0x
4D48
0x
4D4C
0x
4D50
0x
4D54
0x
4D58
0x
4D5C
0x
4D60
0x
4D64
0x
4D68
0x
4D6C
0x
4D70
0x
4D74
0x
4D78
0x
4D7C
0x
4D80
0x
4D84
0x
4D88
0x
4D8C
0x
4D90
0x
4D94
0x
4D98
0x
4D9C
0x
4DA0
0x
4DA4
0x
4DA8
0x
4DAC
0x
4DB0
0x
4DB4
0x
4DB8
0x
4DBC
0x
4DC0
0x
4DC4
0x
4DC8
0x
4DCC
0x
4DD0
0x
4DD4
0x
4DD8
0x
4DDC
0x
4DE0
0x
4DE4
0x
4DE8
0x
4DEC
0x
4DF0
0x
4DF4
0x
4DF8
0x
4DFC
0x
4E00
0x
4E04
0x
4E08
0x
4E0C
0x
4E10
0x
4E14
0x
4E18
0x
4E1C
0x
4E20
0x
4E24
0x
4E28
0x
4E2C
0x
4E30
0x
4E34
0x
4E3C
0x
4E40
0x
4E44
0x
4E48
0x
4E4C
0x
4E50
0x
4E54
0x
4E58
0x
4E5C
0x
4E60
0x
4E64
0x
4E68
0x
4E6C
0x
4E70
0x
4E74
0x
4E78
0x
4E7C
0x
4E80
0x
4E84
0x
4E88
0x
4E8C
0x
4E90
0x
4E94
0x
4E98
0x
4E9C
0x
4EA0
0x
4EA4
0x
4EA8
0x
4EAC
0x
4EB0
0x
4EB4
0x
4EB8
0x
4EBC
0x
4EC0
0x
4EC4
0x
4EC8
0x
4ECC
0x
4ED0
0x
4ED4
0x
4ED8
0x
4EDC
0x
4EE0
0x
4EE4
0x
4EE8
0x
4EEC
0x
4EF0
0x
4EF4
0x
4EF8
0x
4EFC
0x
4F00
0x
4F04
0x
4F08
0x
4F0C
0x
4F10
0x
4F14
0x
4F18
0x
4F1C
0x
4F20
0x
4F24
0x
4F28
0x
4F2C
0x
4F30
0x
4F34
0x
4F40
0x
4F44
0x
4F48
0x
4F4C
0x
4F50
0x
4F54
0x
4F58
0x
4F5C
0x
4F60
0x
4F64
0x
4F68
0x
4F70
0x
4F74
0x
4F78
0x
4F7C
0x
4F80
0x
4F84
0x
4F88
0x
4F8C
0x
4F90
0x
4F94
0x
4F98
0x
4F9C
0x
4FA0
0x
4FA4
0x
4FA8
0x
4FAC
0x
4FB0
0x
4FB4
0x
4FB8
0x
4FBC
0x
4FC0
0x
4FC4
0x
4FC8
0x
4FCC
0x
4FD0
0x
4FD4
0x
4FD8
0x
4FDC
0x
4FE0
0x
4FE4
0x
4FE8
0x
4FEC
0x
4FF0
0x
4FF4
0x
4FF8
0x
4FFC
0x
4B70
0x
47E0
0x
48A0
0x
44E0
0x
45F4
0x
47DC
0x
476C
0x
46D0
0x
44DC
0x
45A0
0x
5004
0x
5008
0x
500C
0x
5010
0x
5014
0x
5018
0x
501C
0x
5020
0x
5024
0x
5028
0x
502C
0x
5030
0x
5034
0x
5038
0x
503C
0x
5040
0x
5044
0x
5048
0x
504C
0x
5050
0x
5054
0x
5058
0x
505C
0x
5060
0x
5064
0x
5068
0x
506C
0x
5070
0x
5074
0x
5078
0x
507C
0x
5080
0x
5084
0x
5088
0x
508C
0x
5090
0x
5094
0x
5098
0x
509C
0x
50A0
0x
50A4
0x
50A8
0x
50AC
0x
50B0
0x
50B4
0x
50B8
0x
50BC
0x
50C0
0x
50C4
0x
50C8
0x
50CC
0x
50D0
0x
50D4
0x
50D8
0x
50DC
0x
50E0
0x
50E4
0x
50E8
0x
50EC
0x
50F0
0x
50F4
0x
50F8
0x
50FC
0x
5100
0x
5104
0x
5108
0x
510C
0x
5110
0x
5114
0x
5118
0x
511C
0x
5120
0x
5124
0x
5128
0x
512C
0x
5130
0x
5134
0x
5138
0x
513C
0x
5140
0x
5144
0x
5148
0x
514C
0x
5150
0x
5154
0x
5158
0x
515C
0x
5160
0x
5164
0x
5168
0x
516C
0x
5170
0x
5174
0x
5178
0x
517C
0x
5180
0x
5184
0x
5188
0x
518C
0x
5190
0x
5194
0x
5198
0x
519C
0x
51A0
0x
51A4
0x
51A8
0x
51AC
0x
51B0
0x
51B4
0x
51B8
0x
51BC
0x
51C0
0x
51C4
0x
51C8
0x
51CC
0x
51D0
0x
51D4
0x
51D8
0x
51DC
0x
51E0
0x
51E4
0x
51E8
0x
51EC
0x
51F0
0x
51F4
0x
51F8
0x
51FC
0x
5200
0x
5204
0x
5208
0x
520C
0x
5210
0x
5214
0x
5218
0x
521C
0x
5220
0x
5224
0x
5228
0x
522C
0x
5230
0x
5234
0x
5238
0x
523C
0x
5240
0x
5244
0x
5248
0x
524C
0x
5250
0x
5254
0x
5258
0x
525C
0x
5260
0x
5264
0x
5268
0x
526C
0x
5270
0x
5274
0x
5278
0x
527C
0x
5280
0x
5284
0x
5288
0x
528C
0x
5290
0x
5294
0x
5298
0x
529C
0x
52A0
0x
52A4
0x
52A8
0x
52AC
0x
52B0
0x
52B4
0x
52B8
0x
52BC
0x
52C0
0x
52C4
0x
52C8
0x
52CC
0x
52D0
0x
52D4
0x
52D8
0x
52DC
0x
52E0
0x
52E4
0x
52E8
0x
52EC
0x
52F0
0x
52F4
0x
52F8
0x
52FC
0x
5300
0x
5304
0x
5308
0x
530C
0x
5310
0x
5314
0x
5318
0x
531C
0x
5320
0x
5324
0x
5328
0x
532C
0x
5330
0x
5334
0x
5338
0x
533C
0x
5340
0x
5344
0x
5348
0x
534C
0x
5350
0x
5354
0x
5358
0x
535C
0x
5360
0x
5364
0x
5368
0x
536C
0x
5370
0x
5374
0x
5378
0x
537C
0x
5380
0x
5384
0x
5388
0x
538C
0x
5390
0x
5394
0x
5398
0x
539C
0x
53A0
0x
53A4
0x
53A8
0x
53AC
0x
53B0
0x
53B4
0x
53B8
0x
53BC
0x
53C0
0x
53C4
0x
53C8
0x
53CC
0x
53D0
0x
53D4
0x
53D8
0x
53DC
0x
53E0
0x
53E4
0x
53E8
0x
53EC
0x
53F0
0x
53F4
0x
53F8
0x
53FC
0x
4550
0x
4F3C
0x
4F6C
0x
4F38
0x
4B0C
0x
4C34
0x
4E38
0x
4D1C
0x
4B08
0x
4A3C
0x
4B6C
0x
5404
0x
5408
0x
540C
0x
5410
0x
5414
0x
5418
0x
541C
0x
5420
0x
5424
0x
5428
0x
542C
0x
5430
0x
5434
0x
5438
0x
543C
0x
5440
0x
5444
0x
5448
0x
544C
0x
5450
0x
5454
0x
5458
0x
545C
0x
5460
0x
5464
0x
5468
0x
546C
0x
5470
0x
5474
0x
5478
0x
547C
0x
5480
0x
5484
0x
5488
0x
548C
0x
5490
0x
5494
0x
5498
0x
549C
0x
54A0
0x
54A4
0x
54A8
0x
54AC
0x
54B0
0x
54B4
0x
54B8
0x
54BC
0x
54C0
0x
54C4
0x
54C8
0x
54CC
0x
54D0
0x
54D4
0x
54D8
0x
54DC
0x
54E0
0x
54E4
0x
54E8
0x
54EC
0x
54F0
0x
54F4
0x
54F8
0x
54FC
0x
5500
0x
5504
0x
5508
0x
550C
0x
5510
0x
5514
0x
5518
0x
551C
0x
5520
0x
5524
0x
5528
0x
552C
0x
5530
0x
5534
0x
5538
0x
553C
0x
5540
0x
5544
0x
5548
0x
554C
0x
5550
0x
5554
0x
5558
0x
555C
0x
5560
0x
5564
0x
5568
0x
556C
0x
5570
0x
5574
0x
5578
0x
557C
0x
5580
0x
5584
0x
5588
0x
55BC
0x
55C0
0x
55C4
0x
55C8
0x
55F8
0x
55FC
0x
5600
0x
5604
0x
5608
0x
560C
0x
5610
0x
5614
0x
5618
0x
561C
0x
5620
0x
5624
0x
5628
0x
562C
0x
5630
0x
5634
0x
5638
0x
563C
0x
5640
0x
5644
0x
5648
0x
564C
0x
5650
0x
5654
0x
5658
0x
565C
0x
5660
0x
5664
0x
5668
0x
566C
0x
5670
0x
5674
0x
5678
0x
567C
0x
5680
0x
5684
0x
5688
0x
568C
0x
5690
0x
5694
0x
5698
0x
569C
0x
56A0
0x
56A4
0x
56A8
0x
56AC
0x
56B0
0x
56B4
0x
56B8
0x
56BC
0x
56C0
0x
56C4
0x
56C8
0x
56CC
0x
56D0
0x
56D4
0x
56D8
0x
56DC
0x
56E0
0x
56E4
0x
56E8
0x
56EC
0x
56F0
0x
56F4
0x
56F8
0x
56FC
0x
5700
0x
5704
0x
5708
0x
570C
0x
5710
0x
5714
0x
5718
0x
571C
0x
5720
0x
5724
0x
5728
0x
572C
0x
5730
0x
5734
0x
5738
0x
573C
0x
5740
0x
5744
0x
5748
0x
574C
0x
5750
0x
5754
0x
5758
0x
575C
0x
5760
0x
5764
0x
5768
0x
576C
0x
5770
0x
5774
0x
5778
0x
5780
0x
5784
0x
5788
0x
578C
0x
5790
0x
5794
0x
5798
0x
579C
0x
57A0
0x
57A4
0x
57A8
0x
57AC
0x
57B0
0x
57B4
0x
57B8
0x
57BC
0x
57C0
0x
57C4
0x
57C8
0x
57CC
0x
57D0
0x
57D4
0x
57D8
0x
57DC
0x
57E0
0x
57E4
0x
57E8
0x
57EC
0x
57F0
0x
57F4
0x
57F8
0x
57FC
0x
E10
0x
4B4
0x
4B0
0x
348
0x
5588
0x
7F4
0x
5598
0x
928
0x
408
0x
55B4
0x
55B8
0x
5590
0x
55B0
0x
55A0
0x
55AC
0x
558C
0x
55A4
0x
559C
0x
64C
0x
5594
0x
3F0
0x
930
0x
95C
0x
3A4
0x
834
0x
918
0x
988
0x
44E8
0x
44E4
0x
34E4
0x
55C8
0x
55D8
0x
55F0
0x
55F4
0x
55D0
0x
55E0
0x
55E8
0x
55E4
0x
55DC
0x
55EC
0x
55CC
0x
55D4
0x
250C
0x
5804
0x
5808
0x
580C
0x
5810
0x
5814
0x
5818
0x
581C
0x
5820
0x
5824
0x
5828
0x
582C
0x
5830
0x
5834
0x
5838
0x
583C
0x
5840
0x
5844
0x
5848
0x
584C
0x
5850
0x
5854
0x
5858
0x
585C
0x
5860
0x
5864
0x
5868
0x
586C
0x
5870
0x
5874
0x
5878
0x
587C
0x
5880
0x
5884
0x
5888
0x
588C
0x
5890
0x
5894
0x
5898
0x
589C
0x
58A0
0x
58A4
0x
58A8
0x
58AC
0x
58B0
0x
58B4
0x
58B8
0x
58BC
0x
58C0
0x
58C4
0x
58C8
0x
58CC
0x
58D0
0x
58D4
0x
58D8
0x
58DC
0x
58E0
0x
58E4
0x
58E8
0x
58EC
0x
58F0
0x
58F4
0x
58F8
0x
58FC
0x
5900
0x
5904
0x
5908
0x
590C
0x
5910
0x
5914
0x
5930
0x
593C
0x
5940
0x
5944
0x
5948
0x
594C
0x
5950
0x
5954
0x
5958
0x
595C
0x
5960
0x
5964
0x
5968
0x
596C
0x
5970
0x
5974
0x
5978
0x
597C
0x
5980
0x
5984
0x
5988
0x
598C
0x
5990
0x
5994
0x
5998
0x
599C
0x
59A0
0x
59A4
0x
59A8
0x
59AC
0x
59B0
0x
59B4
0x
59B8
0x
59BC
0x
59C0
0x
59C4
0x
59C8
0x
59CC
0x
59D0
0x
59D4
0x
59E0
0x
59E4
0x
59E8
0x
59EC
0x
59F0
0x
59F4
0x
59F8
0x
59FC
0x
5A00
0x
5A04
0x
5A08
0x
5A0C
0x
5A10
0x
5A14
0x
5A18
0x
5A1C
0x
5A20
0x
5A24
0x
5A28
0x
5A2C
0x
5A30
0x
5A34
0x
5A38
0x
5A3C
0x
5A40
0x
5A44
0x
5A48
0x
5A4C
0x
5A50
0x
5A54
0x
5A58
0x
5A5C
0x
5A60
0x
5A64
0x
5A68
0x
5A6C
0x
5A70
0x
5A74
0x
5A78
0x
5A7C
0x
5A80
0x
5A84
0x
5A90
0x
5A94
0x
5A98
0x
5A9C
0x
5AC0
0x
5AD4
0x
5AD8
0x
5ADC
0x
5AE0
0x
5AE4
0x
5AE8
0x
5AEC
0x
5AF0
0x
5AF4
0x
5AF8
0x
5AFC
0x
5B00
0x
5B04
0x
5B08
0x
5B0C
0x
5B10
0x
5B14
0x
5B18
0x
5B1C
0x
5B20
0x
5B24
0x
5B28
0x
5B2C
0x
5B30
0x
5B34
0x
5B38
0x
5B3C
0x
5B40
0x
5B44
0x
5B48
0x
5B4C
0x
5B50
0x
5B54
0x
5B58
0x
5B5C
0x
5B60
0x
5B64
0x
5B68
0x
5B6C
0x
5B70
0x
5B74
0x
5B78
0x
5B7C
0x
5B80
0x
5B84
0x
5B88
0x
5B8C
0x
5B90
0x
5B94
0x
5B98
0x
5B9C
0x
5BA0
0x
5BA4
0x
5BA8
0x
5BAC
0x
5BB0
0x
5BB4
0x
5BB8
0x
5BBC
0x
5BC0
0x
5BC4
0x
5BC8
0x
5BCC
0x
5BD0
0x
5BD4
0x
5BD8
0x
5BDC
0x
5BE0
0x
5BE4
0x
5BE8
0x
5BEC
0x
5BF0
0x
5BF4
0x
5BF8
0x
5BFC
0x
A5C
0x
A3C
0x
A1C
0x
808
0x
A30
0x
854
0x
590C
0x
5924
0x
EF4
0x
59DC
0x
5A88
0x
591C
0x
592C
0x
5938
0x
5934
0x
5928
0x
B40
0x
59D8
0x
5920
0x
5918
0x
F88
0x
5A9C
0x
5AAC
0x
F20
0x
5ACC
0x
5AC8
0x
5AD0
0x
5AA4
0x
5AC4
0x
5AB4
0x
5ABC
0x
5AA0
0x
5AB8
0x
5AB0
0x
5AA8
0x
32FC
0x
577C
0x
5C04
0x
5C08
0x
5C0C
0x
5C10
0x
5C14
0x
5C18
0x
5C1C
0x
5C20
0x
5C24
0x
5C28
0x
5C2C
0x
5C30
0x
5C34
0x
5C38
0x
5C3C
0x
5C40
0x
5C44
0x
5C48
0x
5C4C
0x
5C50
0x
5C54
0x
5C58
0x
5C5C
0x
5C60
0x
5C64
0x
5C68
0x
5C6C
0x
5C70
0x
5C74
0x
5C78
0x
5C7C
0x
5C80
0x
5C84
0x
5C88
0x
5C8C
0x
5C90
0x
5C94
0x
5C98
0x
5C9C
0x
5CA0
0x
5CA4
0x
5CA8
0x
5CAC
0x
5CB0
0x
5CB4
0x
5CB8
0x
5CBC
0x
5CC0
0x
5CD4
0x
5CD8
0x
5CDC
0x
5CE0
0x
5CE4
0x
5CE8
0x
5CEC
0x
5CF0
0x
5CF8
0x
5CFC
0x
5D04
0x
5D08
0x
5D1C
0x
5D20
0x
5D28
0x
5D2C
0x
5D30
0x
5D34
0x
5D38
0x
5D3C
0x
5D40
0x
5D44
0x
5D48
0x
5D4C
0x
5D50
0x
5D54
0x
5D58
0x
5D5C
0x
5D60
0x
5D64
0x
5D68
0x
5D6C
0x
5D70
0x
5D74
0x
5D78
0x
5D7C
0x
5D80
0x
5D84
0x
5D88
0x
5D8C
0x
5D90
0x
5D94
0x
5D98
0x
5D9C
0x
5DA0
0x
5DA4
0x
5DA8
0x
5DAC
0x
5DB0
0x
5DB4
0x
5DB8
0x
5DBC
0x
5DC0
0x
5DC4
0x
5DC8
0x
5DCC
0x
5DD0
0x
5DD4
0x
5DD8
0x
5DDC
0x
5DE0
0x
5DE4
0x
5DE8
0x
5DEC
0x
5DF0
0x
5DF8
0x
5DFC
0x
5E00
0x
5E04
0x
5E08
0x
5E0C
0x
5E10
0x
5E14
0x
5E18
0x
5E1C
0x
5E20
0x
5E24
0x
5E28
0x
5E2C
0x
5E30
0x
5E34
0x
5E38
0x
5E3C
0x
5E40
0x
5E44
0x
5E48
0x
5E4C
0x
5E50
0x
5E54
0x
5E58
0x
5E5C
0x
5E60
0x
5E64
0x
5E68
0x
5E70
0x
5E74
0x
5E78
0x
5E7C
0x
5E80
0x
5E84
0x
5E88
0x
5E8C
0x
5E90
0x
5E94
0x
5E98
0x
5E9C
0x
5EA0
0x
5EA4
0x
5EA8
0x
5EAC
0x
5EB0
0x
5EB4
0x
5ED8
0x
5EDC
0x
5EE0
0x
5EE4
0x
5EE8
0x
5EEC
0x
5EF0
0x
5EFC
0x
5F00
0x
5F08
0x
5F0C
0x
5F10
0x
5F14
0x
5F18
0x
5F1C
0x
5F20
0x
5F24
0x
5F28
0x
5F2C
0x
5F30
0x
5F34
0x
5F38
0x
5F3C
0x
5F40
0x
5F44
0x
5F48
0x
5F4C
0x
5F50
0x
5F54
0x
5F58
0x
5F5C
0x
5F60
0x
5F64
0x
5F68
0x
5F6C
0x
5F70
0x
5F74
0x
5F78
0x
5F7C
0x
5F80
0x
5F84
0x
5F88
0x
5F8C
0x
5F90
0x
5F94
0x
5F98
0x
5F9C
0x
5FA0
0x
5FA4
0x
5FA8
0x
5FAC
0x
5FB0
0x
5FB4
0x
5FB8
0x
5FBC
0x
5FC0
0x
5FC4
0x
5FC8
0x
5FCC
0x
5FD0
0x
5FD4
0x
5FD8
0x
5FDC
0x
5FE0
0x
5FE4
0x
5FE8
0x
5FEC
0x
5FF0
0x
5FF4
0x
5FF8
0x
5FFC
0x
5CB0
0x
5CD0
0x
5D18
0x
5D24
0x
5D14
0x
5CC8
0x
5D00
0x
5D10
0x
5CC4
0x
5D0C
0x
5CF4
0x
5CCC
0x
5EB4
0x
5EC4
0x
B18
0x
F68
0x
5EF8
0x
5F04
0x
5EBC
0x
5EF4
0x
5ECC
0x
5ED4
0x
5EB8
0x
5ED0
0x
5EC8
0x
5EC0
0x
6004
0x
6008
0x
600C
0x
6010
0x
6014
0x
6018
0x
601C
0x
6020
0x
6024
0x
6028
0x
602C
0x
6030
0x
6034
0x
6038
0x
603C
0x
6040
0x
6044
0x
6048
0x
604C
0x
6050
0x
6054
0x
6058
0x
605C
0x
6060
0x
6064
0x
6068
0x
606C
0x
6070
0x
6074
0x
6078
0x
607C
0x
6094
0x
6098
0x
60B4
0x
60B8
0x
60BC
0x
60C0
0x
60C4
0x
60C8
0x
60CC
0x
60D0
0x
60D4
0x
60D8
0x
60DC
0x
60E0
0x
60E4
0x
60E8
0x
60EC
0x
60F0
0x
60F4
0x
60F8
0x
60FC
0x
6100
0x
6104
0x
6108
0x
610C
0x
6110
0x
6114
0x
6118
0x
611C
0x
6120
0x
6124
0x
6128
0x
612C
0x
6130
0x
6134
0x
6138
0x
613C
0x
6140
0x
6144
0x
6148
0x
614C
0x
6150
0x
6154
0x
6158
0x
615C
0x
6160
0x
6164
0x
6168
0x
616C
0x
6170
0x
6174
0x
6178
0x
617C
0x
6180
0x
6184
0x
6188
0x
618C
0x
6190
0x
6194
0x
6198
0x
619C
0x
61A0
0x
61A4
0x
61A8
0x
61AC
0x
61B0
0x
61B4
0x
61B8
0x
61BC
0x
61C0
0x
61C4
0x
61C8
0x
61CC
0x
61D0
0x
61D4
0x
61D8
0x
61DC
0x
61E0
0x
61E4
0x
61E8
0x
61EC
0x
61F0
0x
61F4
0x
61F8
0x
61FC
0x
6200
0x
6204
0x
6208
0x
620C
0x
6210
0x
6214
0x
6218
0x
621C
0x
6220
0x
6224
0x
6228
0x
622C
0x
6230
0x
6234
0x
6238
0x
623C
0x
6240
0x
6244
0x
6248
0x
624C
0x
6250
0x
6254
0x
6258
0x
625C
0x
6260
0x
6264
0x
6268
0x
626C
0x
6270
0x
6274
0x
6278
0x
627C
0x
6280
0x
6284
0x
6288
0x
628C
0x
6290
0x
6294
0x
6298
0x
629C
0x
62A0
0x
62A4
0x
62A8
0x
62AC
0x
62B0
0x
62B4
0x
62B8
0x
62BC
0x
62C0
0x
62C4
0x
62C8
0x
62CC
0x
62D0
0x
62D4
0x
62D8
0x
62DC
0x
62E0
0x
62E4
0x
62E8
0x
62EC
0x
62F0
0x
62F4
0x
62F8
0x
62FC
0x
6300
0x
6304
0x
6308
0x
630C
0x
6310
0x
6314
0x
6318
0x
631C
0x
6320
0x
6324
0x
6328
0x
632C
0x
6330
0x
6334
0x
6338
0x
633C
0x
6340
0x
6344
0x
6348
0x
634C
0x
6350
0x
6354
0x
6358
0x
635C
0x
6360
0x
6364
0x
6368
0x
636C
0x
6370
0x
6374
0x
6378
0x
637C
0x
6380
0x
6384
0x
6388
0x
638C
0x
6390
0x
6394
0x
6398
0x
639C
0x
63A0
0x
63A4
0x
63A8
0x
63AC
0x
63B0
0x
63B4
0x
63B8
0x
63BC
0x
63C0
0x
63C4
0x
63C8
0x
63CC
0x
63D0
0x
63D4
0x
63D8
0x
63DC
0x
63E0
0x
63E4
0x
63E8
0x
63EC
0x
63F0
0x
63F4
0x
63F8
0x
63FC
0x
606C
0x
608C
0x
60AC
0x
60B0
0x
6084
0x
60A8
0x
609C
0x
60A4
0x
6080
0x
60A0
0x
6090
0x
6088
0x
6404
0x
6408
0x
640C
0x
6410
0x
6414
0x
6418
0x
641C
0x
6420
0x
6424
0x
6428
0x
642C
0x
6430
0x
6434
0x
6438
0x
643C
0x
6440
0x
6444
0x
6448
0x
644C
0x
6450
0x
6454
0x
6458
0x
6464
0x
6468
0x
646C
0x
6470
0x
6474
0x
6478
0x
647C
0x
6480
0x
6484
0x
6490
0x
6494
0x
649C
0x
64A4
0x
64A8
0x
64AC
0x
64B0
0x
64B4
0x
64B8
0x
64BC
0x
64C0
0x
64C4
0x
64C8
0x
64CC
0x
64D0
0x
64D4
0x
64D8
0x
64DC
0x
64E0
0x
64E4
0x
64E8
0x
64EC
0x
64F0
0x
64F4
0x
64F8
0x
64FC
0x
6500
0x
6504
0x
6508
0x
650C
0x
6510
0x
6514
0x
6518
0x
651C
0x
6520
0x
6524
0x
6528
0x
652C
0x
6530
0x
6534
0x
6538
0x
653C
0x
6540
0x
6544
0x
6548
0x
654C
0x
6550
0x
6554
0x
6558
0x
655C
0x
6560
0x
6564
0x
6568
0x
656C
0x
6570
0x
6574
0x
6578
0x
657C
0x
6580
0x
6584
0x
6588
0x
658C
0x
6590
0x
6594
0x
6598
0x
659C
0x
65A0
0x
65A4
0x
65A8
0x
65AC
0x
65B0
0x
65B4
0x
65B8
0x
65BC
0x
65C0
0x
65C4
0x
65C8
0x
65CC
0x
65D0
0x
65D4
0x
65D8
0x
65DC
0x
65E0
0x
65E4
0x
65EC
0x
65F0
0x
65F4
0x
65F8
0x
6614
0x
6618
0x
661C
0x
6620
0x
6624
0x
6628
0x
662C
0x
6630
0x
6634
0x
6638
0x
663C
0x
6640
0x
6644
0x
6648
0x
664C
0x
6650
0x
6654
0x
6658
0x
665C
0x
6660
0x
6664
0x
6668
0x
666C
0x
6670
0x
6674
0x
6678
0x
667C
0x
6680
0x
6684
0x
6688
0x
668C
0x
6690
0x
6694
0x
6698
0x
669C
0x
66A0
0x
66A4
0x
66AC
0x
66B0
0x
66B4
0x
66B8
0x
66BC
0x
66C0
0x
66C4
0x
66C8
0x
66CC
0x
66D0
0x
66D4
0x
66D8
0x
66DC
0x
66E0
0x
66E4
0x
66E8
0x
6710
0x
6714
0x
6718
0x
671C
0x
6720
0x
6724
0x
6728
0x
672C
0x
6730
0x
6734
0x
6738
0x
6744
0x
6748
0x
6754
0x
676C
0x
6770
0x
6774
0x
6778
0x
677C
0x
6780
0x
6784
0x
6798
0x
679C
0x
67A0
0x
67A4
0x
67A8
0x
67B0
0x
67B4
0x
67B8
0x
67BC
0x
67C0
0x
67C4
0x
67C8
0x
67CC
0x
67D0
0x
67E4
0x
67E8
0x
67EC
0x
67F0
0x
67F4
0x
67F8
0x
67FC
0x
6410
0x
6460
0x
64A0
0x
65FC
0x
65E8
0x
6498
0x
6600
0x
645C
0x
6488
0x
3240
0x
3310
0x
375C
0x
6754
0x
6768
0x
67DC
0x
67E0
0x
6760
0x
678C
0x
67D4
0x
67AC
0x
6788
0x
67D8
0x
675C
0x
6764
0x
6804
0x
6808
0x
680C
0x
6810
0x
681C
0x
6820
0x
6834
0x
6838
0x
683C
0x
6840
0x
6844
0x
6848
0x
684C
0x
6850
0x
6854
0x
6858
0x
685C
0x
6860
0x
6864
0x
6868
0x
686C
0x
6870
0x
6874
0x
6880
0x
6884
0x
6888
0x
6898
0x
689C
0x
68A0
0x
68A4
0x
68A8
0x
68AC
0x
68B0
0x
68B4
0x
68B8
0x
68BC
0x
68C0
0x
68C4
0x
68C8
0x
68CC
0x
68D0
0x
68D4
0x
68D8
0x
68DC
0x
68E0
0x
68E4
0x
68E8
0x
68EC
0x
68F0
0x
68F4
0x
68F8
0x
68FC
0x
6900
0x
6904
0x
6908
0x
690C
0x
6914
0x
6918
0x
691C
0x
6920
0x
6924
0x
6928
0x
692C
0x
6930
0x
6934
0x
6938
0x
693C
0x
6940
0x
6944
0x
6948
0x
694C
0x
6950
0x
6954
0x
6958
0x
695C
0x
6960
0x
6964
0x
6968
0x
696C
0x
6970
0x
6974
0x
6978
0x
697C
0x
6980
0x
6984
0x
6988
0x
698C
0x
6990
0x
6994
0x
6998
0x
699C
0x
69A0
0x
69A4
0x
69A8
0x
69AC
0x
69B0
0x
69B4
0x
69B8
0x
69BC
0x
69C0
0x
69C4
0x
69C8
0x
69CC
0x
69D0
0x
69D4
0x
69D8
0x
69DC
0x
69E0
0x
69E4
0x
69E8
0x
69EC
0x
69F0
0x
69F4
0x
69F8
0x
69FC
0x
6A00
0x
6A04
0x
6A08
0x
6A0C
0x
6A10
0x
6A14
0x
6A18
0x
6A1C
0x
6A20
0x
6A24
0x
6A28
0x
6A2C
0x
6A30
0x
6A34
0x
6A38
0x
6A3C
0x
6A40
0x
6A44
0x
6A48
0x
6A4C
0x
6A50
0x
6A54
0x
6A58
0x
6A5C
0x
6A60
0x
6A64
0x
6A68
0x
6A7C
0x
6A80
0x
6A8C
0x
6A90
0x
6A94
0x
6A98
0x
6A9C
0x
6AA0
0x
6AA8
0x
6AAC
0x
6AB0
0x
6AB4
0x
6ABC
0x
6AC0
0x
6AC4
0x
6AC8
0x
6AD8
0x
6ADC
0x
6AE0
0x
6AE4
0x
6AE8
0x
6AEC
0x
6AF0
0x
6AF4
0x
6AF8
0x
6AFC
0x
6B00
0x
6B04
0x
6B08
0x
6B0C
0x
6B10
0x
6B14
0x
6B18
0x
6B1C
0x
6B20
0x
6B24
0x
6B28
0x
6B2C
0x
6B30
0x
6B34
0x
6B38
0x
6B3C
0x
6B40
0x
6B44
0x
6B48
0x
6B4C
0x
6B50
0x
6B54
0x
6B58
0x
6B5C
0x
6B60
0x
6B64
0x
6B68
0x
6B6C
0x
6B70
0x
6B74
0x
6B78
0x
6B7C
0x
6B80
0x
6B84
0x
6B88
0x
6B8C
0x
6B90
0x
6B94
0x
6B98
0x
6B9C
0x
6BA0
0x
6BA4
0x
6BA8
0x
6BAC
0x
6BB0
0x
6BB4
0x
6BB8
0x
6BBC
0x
6BC0
0x
6BC4
0x
6BC8
0x
6BCC
0x
6BD0
0x
6BD4
0x
6BD8
0x
6BDC
0x
6BE0
0x
6BE4
0x
6BE8
0x
6BEC
0x
6BF0
0x
6BF4
0x
6BF8
0x
6BFC
0x
6810
0x
6828
0x
6890
0x
6894
0x
6818
0x
6830
0x
687C
0x
6878
0x
682C
0x
688C
0x
6814
0x
6824
0x
6910
0x
6A68
0x
6A78
0x
6AD0
0x
6AD4
0x
6A70
0x
6A88
0x
6AB8
0x
6AA4
0x
6A84
0x
6C04
0x
6C08
0x
6C0C
0x
6C10
0x
6C14
0x
6C18
0x
6C1C
0x
6C20
0x
6C24
0x
6C28
0x
6C2C
0x
6C30
0x
6C34
0x
6C38
0x
6C3C
0x
6C40
0x
6C44
0x
6C48
0x
6C4C
0x
6C50
0x
6C54
0x
6C58
0x
6C5C
0x
6C60
0x
6C64
0x
6C68
0x
6C6C
0x
6C70
0x
6C74
0x
6C78
0x
6C7C
0x
6C80
0x
6C84
0x
6C88
0x
6C8C
0x
6C90
0x
6C94
0x
6C98
0x
6C9C
0x
6CA0
0x
6CA4
0x
6CA8
0x
6CAC
0x
6CB0
0x
6CB4
0x
6CB8
0x
6CBC
0x
6CC0
0x
6CC4
0x
6CC8
0x
6CCC
0x
6CD0
0x
6CD4
0x
6CD8
0x
6CDC
0x
6CE0
0x
6CE4
0x
6CE8
0x
6CEC
0x
6CF0
0x
6CF4
0x
6CF8
0x
6CFC
0x
6D00
0x
6D04
0x
6D08
0x
6D0C
0x
6D10
0x
6D14
0x
6D18
0x
6D1C
0x
6D20
0x
6D24
0x
6D28
0x
6D2C
0x
6D30
0x
6D34
0x
6D38
0x
6D3C
0x
6D40
0x
6D44
0x
6D48
0x
6D4C
0x
6D50
0x
6D54
0x
6D58
0x
6D5C
0x
6D60
0x
6D64
0x
6D68
0x
6D6C
0x
6D70
0x
6D74
0x
6D80
0x
6D84
0x
6D88
0x
6D8C
0x
6D90
0x
6D94
0x
6D98
0x
6D9C
0x
6DA0
0x
6DA4
0x
6DA8
0x
6DAC
0x
6DB0
0x
6DB4
0x
6DB8
0x
6DBC
0x
6DC0
0x
6DC4
0x
6DC8
0x
6DCC
0x
6DD0
0x
6DD4
0x
6DD8
0x
6DDC
0x
6DE0
0x
6DE4
0x
6DE8
0x
6DEC
0x
6DF0
0x
6E00
0x
6E08
0x
6E0C
0x
6E10
0x
6E14
0x
6E18
0x
6E1C
0x
6E20
0x
6E24
0x
6E28
0x
6E2C
0x
6E30
0x
6E34
0x
6E38
0x
6E3C
0x
6E40
0x
6E44
0x
6E48
0x
6E4C
0x
6E50
0x
6E54
0x
6E58
0x
6E5C
0x
6E60
0x
6E64
0x
6E68
0x
6E6C
0x
6E70
0x
6E78
0x
6E7C
0x
6E80
0x
6E84
0x
6E88
0x
6E8C
0x
6E90
0x
6E94
0x
6E98
0x
6E9C
0x
6EA0
0x
6EA4
0x
6EA8
0x
6EAC
0x
6EB0
0x
6EB4
0x
6EB8
0x
6EBC
0x
6EC0
0x
6EC4
0x
6EC8
0x
6ECC
0x
6ED0
0x
6ED4
0x
6ED8
0x
6EDC
0x
6EE0
0x
6EE4
0x
6EE8
0x
6EF0
0x
6EF4
0x
6EF8
0x
6EFC
0x
6F00
0x
6F04
0x
6F08
0x
6F0C
0x
6F10
0x
6F14
0x
6F18
0x
6F1C
0x
6F20
0x
6F24
0x
6F28
0x
6F2C
0x
6F30
0x
6F34
0x
6F38
0x
6F3C
0x
6F40
0x
6F44
0x
6F48
0x
6F4C
0x
6F50
0x
6F54
0x
6F58
0x
6F5C
0x
6F60
0x
6F64
0x
6F68
0x
6F6C
0x
6F70
0x
6F74
0x
6F78
0x
6F7C
0x
6F80
0x
6F84
0x
6F88
0x
6F8C
0x
6F90
0x
6F94
0x
6F98
0x
6F9C
0x
6FA0
0x
6FA4
0x
6FA8
0x
6FAC
0x
6FB0
0x
6FB4
0x
6FB8
0x
6FBC
0x
6FC0
0x
6FC4
0x
6FC8
0x
6FCC
0x
6FD0
0x
6FD4
0x
6FD8
0x
6FE8
0x
6FEC
0x
6FF0
0x
6FF4
0x
6FF8
0x
6FFC
0x
6ACC
0x
6A6C
0x
6A74
0x
6D64
0x
6DF8
0x
FD0
0x
6FE0
0x
6FE4
0x
6D7C
0x
6E04
0x
6EEC
0x
6E74
0x
6DFC
0x
7004
0x
7008
0x
700C
0x
7010
0x
7014
0x
7018
0x
701C
0x
7020
0x
7024
0x
7028
0x
702C
0x
7030
0x
7034
0x
7038
0x
703C
0x
7040
0x
7044
0x
7048
0x
704C
0x
7050
0x
7054
0x
7058
0x
705C
0x
7060
0x
7064
0x
7068
0x
706C
0x
7070
0x
7074
0x
7078
0x
707C
0x
7080
0x
7084
0x
7088
0x
708C
0x
7090
0x
7094
0x
7098
0x
709C
0x
70A0
0x
70A4
0x
70A8
0x
70AC
0x
70B0
0x
70B4
0x
70B8
0x
70BC
0x
70C0
0x
70C4
0x
70C8
0x
70CC
0x
70D0
0x
70D4
0x
70D8
0x
70DC
0x
70E0
0x
70E4
0x
70E8
0x
70EC
0x
70F0
0x
70F4
0x
70F8
0x
70FC
0x
7100
0x
7104
0x
7108
0x
710C
0x
7110
0x
7114
0x
7118
0x
711C
0x
7120
0x
7124
0x
712C
0x
7130
0x
7134
0x
7138
0x
713C
0x
7144
0x
7148
0x
714C
0x
7150
0x
7154
0x
7158
0x
715C
0x
7160
0x
7164
0x
7168
0x
716C
0x
7170
0x
7174
0x
7178
0x
717C
0x
7180
0x
7184
0x
7188
0x
718C
0x
7190
0x
7194
0x
7198
0x
719C
0x
71A0
0x
71A4
0x
71A8
0x
71AC
0x
71B0
0x
71B4
0x
71B8
0x
71BC
0x
71C0
0x
71C4
0x
71C8
0x
71CC
0x
71D0
0x
71D4
0x
71D8
0x
71DC
0x
71E0
0x
71E4
0x
71E8
0x
71EC
0x
71F0
0x
71F4
0x
71F8
0x
71FC
0x
7200
0x
7204
0x
7208
0x
720C
0x
7210
0x
7214
0x
7218
0x
721C
0x
7220
0x
7224
0x
7228
0x
722C
0x
7230
0x
7234
0x
7238
0x
723C
0x
7240
0x
7244
0x
7248
0x
724C
0x
7250
0x
7254
0x
7258
0x
725C
0x
7260
0x
7274
0x
7278
0x
7284
0x
7288
0x
728C
0x
7290
0x
7294
0x
7298
0x
72A0
0x
72A4
0x
72A8
0x
72AC
0x
72B0
0x
72B4
0x
72BC
0x
72C0
0x
72C4
0x
72C8
0x
72CC
0x
72D0
0x
72D4
0x
72D8
0x
72E8
0x
72EC
0x
72F0
0x
72F4
0x
72F8
0x
72FC
0x
7300
0x
7304
0x
7308
0x
730C
0x
7310
0x
7314
0x
7318
0x
731C
0x
7320
0x
7324
0x
7328
0x
732C
0x
7330
0x
7360
0x
7364
0x
7368
0x
736C
0x
7370
0x
7374
0x
7378
0x
737C
0x
7380
0x
7384
0x
7388
0x
738C
0x
7390
0x
7394
0x
7398
0x
739C
0x
73A0
0x
73A4
0x
73A8
0x
73AC
0x
73B0
0x
73B4
0x
73B8
0x
73BC
0x
73C0
0x
73C4
0x
73C8
0x
73CC
0x
73D0
0x
73D4
0x
73D8
0x
73DC
0x
73E0
0x
73E4
0x
73E8
0x
73EC
0x
73F0
0x
73F4
0x
73F8
0x
73FC
0x
6FDC
0x
6D78
0x
6DF4
0x
F98
0x
880
0x
7260
0x
7270
0x
72E0
0x
72E4
0x
7268
0x
7280
0x
72B8
0x
729C
0x
727C
0x
72DC
0x
7264
0x
726C
0x
7330
0x
7340
0x
3F4
0x
7358
0x
735C
0x
7338
0x
7348
0x
7350
0x
734C
0x
7344
0x
7354
0x
7334
0x
733C
0x
608
0x
314
0x
120
0x
3D4
0x
850
0x
540
0x
7420
0x
7424
0x
7428
0x
742C
0x
7430
0x
7434
0x
7438
0x
743C
0x
7440
0x
7444
0x
7448
0x
744C
0x
7450
0x
7454
0x
7458
0x
745C
0x
7460
0x
7464
0x
7468
0x
746C
0x
7470
0x
7474
0x
7478
0x
747C
0x
7480
0x
7484
0x
7488
0x
748C
0x
7490
0x
7498
0x
749C
0x
74A0
0x
74A4
0x
74AC
0x
74B0
0x
74B4
0x
74B8
0x
74BC
0x
74C0
0x
74C4
0x
74C8
0x
74CC
0x
74D0
0x
74D4
0x
74D8
0x
74DC
0x
74E0
0x
74E4
0x
74E8
0x
74EC
0x
74F0
0x
74F4
0x
74F8
0x
74FC
0x
7500
0x
750C
0x
7510
0x
751C
0x
7520
0x
7528
0x
752C
0x
7530
0x
7534
0x
7538
0x
753C
0x
7540
0x
7564
0x
7568
0x
756C
0x
7570
0x
7574
0x
7578
0x
757C
0x
7580
0x
7584
0x
7588
0x
758C
0x
7590
0x
7594
0x
7598
0x
759C
0x
75A0
0x
75A4
0x
75A8
0x
75AC
0x
75B0
0x
75B4
0x
75B8
0x
75BC
0x
75C0
0x
75C4
0x
75C8
0x
75CC
0x
75D0
0x
75D4
0x
75D8
0x
75DC
0x
75E0
0x
75E4
0x
75E8
0x
75EC
0x
75F0
0x
75F4
0x
75F8
0x
75FC
0x
7600
0x
7604
0x
7608
0x
760C
0x
7610
0x
7614
0x
7618
0x
761C
0x
7620
0x
7624
0x
7628
0x
762C
0x
7630
0x
7634
0x
7638
0x
763C
0x
7640
0x
7644
0x
7648
0x
764C
0x
7650
0x
7654
0x
7658
0x
765C
0x
7660
0x
7664
0x
7668
0x
766C
0x
7670
0x
7674
0x
7678
0x
767C
0x
7680
0x
7684
0x
7688
0x
768C
0x
7690
0x
7694
0x
7698
0x
769C
0x
76A0
0x
76A4
0x
76A8
0x
76AC
0x
76B0
0x
76B4
0x
76B8
0x
76BC
0x
76C0
0x
76C4
0x
76C8
0x
76CC
0x
76D0
0x
76D4
0x
76D8
0x
76DC
0x
76E0
0x
76E4
0x
76E8
0x
76EC
0x
76F0
0x
76F4
0x
76F8
0x
76FC
0x
7700
0x
7704
0x
7708
0x
770C
0x
7710
0x
7714
0x
7718
0x
771C
0x
7720
0x
7724
0x
7728
0x
772C
0x
7730
0x
7734
0x
7738
0x
773C
0x
7740
0x
7744
0x
7748
0x
774C
0x
7750
0x
7754
0x
7758
0x
775C
0x
7760
0x
7764
0x
7768
0x
776C
0x
7770
0x
7774
0x
7778
0x
777C
0x
7780
0x
7784
0x
7788
0x
778C
0x
7790
0x
7794
0x
7798
0x
779C
0x
77A0
0x
77A4
0x
77A8
0x
77AC
0x
77B0
0x
77B4
0x
77B8
0x
77BC
0x
77C0
0x
77C4
0x
77C8
0x
77CC
0x
77D0
0x
77D4
0x
77D8
0x
77DC
0x
77E0
0x
77E4
0x
77E8
0x
77EC
0x
77F0
0x
77F4
0x
77F8
0x
77FC
0x
540
0x
7404
0x
741C
0x
7494
0x
428
0x
740C
0x
7414
0x
7410
0x
7408
0x
7418
0x
3E4
0x
A64
0x
74A8
0x
F40
0x
8F4
0x
840
0x
298
0x
668
0x
1FDC
0x
25D0
0x
944
0x
74E4
0x
7518
0x
7554
0x
7558
0x
7508
0x
7544
0x
754C
0x
7548
0x
7524
0x
7550
0x
7504
0x
7514
0x
7804
0x
7808
0x
780C
0x
7810
0x
7814
0x
7818
0x
781C
0x
7820
0x
7824
0x
7828
0x
782C
0x
7830
0x
7834
0x
7838
0x
783C
0x
7840
0x
7844
0x
7848
0x
784C
0x
7850
0x
7854
0x
7858
0x
785C
0x
7860
0x
7864
0x
7868
0x
786C
0x
7870
0x
7874
0x
7878
0x
787C
0x
7880
0x
7884
0x
7888
0x
788C
0x
7890
0x
7894
0x
7898
0x
789C
0x
78A0
0x
78A4
0x
78A8
0x
78AC
0x
78B0
0x
78B4
0x
78B8
0x
78BC
0x
78C0
0x
78C4
0x
78C8
0x
78CC
0x
78D0
0x
78D4
0x
78D8
0x
78DC
0x
78E0
0x
78E4
0x
78E8
0x
78EC
0x
78F0
0x
78F4
0x
78F8
0x
78FC
0x
7900
0x
7904
0x
7908
0x
790C
0x
7910
0x
7914
0x
7918
0x
791C
0x
7920
0x
7924
0x
7928
0x
792C
0x
7930
0x
7934
0x
7938
0x
793C
0x
7940
0x
7944
0x
7948
0x
794C
0x
7950
0x
7954
0x
7958
0x
795C
0x
7960
0x
7964
0x
7968
0x
796C
0x
7970
0x
7974
0x
7978
0x
797C
0x
7980
0x
7984
0x
7988
0x
798C
0x
7990
0x
7994
0x
7998
0x
799C
0x
79A0
0x
79A4
0x
79A8
0x
79AC
0x
79B0
0x
79B4
0x
79B8
0x
79BC
0x
79C0
0x
79C4
0x
79C8
0x
79CC
0x
79D0
0x
79D4
0x
79D8
0x
79DC
0x
79E0
0x
79E4
0x
79E8
0x
79EC
0x
79F0
0x
79F4
0x
79F8
0x
79FC
0x
7A00
0x
7A04
0x
7A08
0x
7A0C
0x
7A10
0x
7A14
0x
7A18
0x
7A1C
0x
7A20
0x
7A24
0x
7A28
0x
7A2C
0x
7A30
0x
7A34
0x
7A38
0x
7A3C
0x
7A40
0x
7A44
0x
7A48
0x
7A4C
0x
7A50
0x
7A54
0x
7A58
0x
7A5C
0x
7A60
0x
7A64
0x
7A68
0x
7A6C
0x
7A70
0x
7A74
0x
7A78
0x
7A7C
0x
7A80
0x
7A84
0x
7A88
0x
7A8C
0x
7A90
0x
7A94
0x
7A98
0x
7A9C
0x
7AA0
0x
7AA4
0x
7AA8
0x
7AAC
0x
7AB0
0x
7AB4
0x
7AB8
0x
7ABC
0x
7AC0
0x
7AC4
0x
7AC8
0x
7ACC
0x
7AD0
0x
7AD4
0x
7AD8
0x
7ADC
0x
7AE0
0x
7AE4
0x
7AE8
0x
7AEC
0x
7AF0
0x
7AF4
0x
7AF8
0x
7AFC
0x
7B00
0x
7B04
0x
7B08
0x
7B0C
0x
7B10
0x
7B14
0x
7B18
0x
7B1C
0x
7B20
0x
7B24
0x
7B28
0x
7B2C
0x
7B30
0x
7B34
0x
7B38
0x
7B3C
0x
7B40
0x
7B44
0x
7B48
0x
7B4C
0x
7B50
0x
7B54
0x
7B58
0x
7B5C
0x
7B60
0x
7B64
0x
7B68
0x
7B6C
0x
7B70
0x
7B74
0x
7B78
0x
7B7C
0x
7B80
0x
7B84
0x
7B88
0x
7B8C
0x
7B90
0x
7B94
0x
7B98
0x
7B9C
0x
7BA0
0x
7BA4
0x
7BA8
0x
7BAC
0x
7BB0
0x
7BB4
0x
7BB8
0x
7BBC
0x
7BC0
0x
7BC4
0x
7BC8
0x
7BCC
0x
7BD0
0x
7BD4
0x
7BD8
0x
7BDC
0x
7BE0
0x
7BE4
0x
7BE8
0x
7BEC
0x
7BF0
0x
7BF4
0x
7BF8
0x
7BFC
0x
7C04
0x
7C08
0x
7C0C
0x
7C10
0x
7C14
0x
7C18
0x
7C1C
0x
7C20
0x
7C24
0x
7C28
0x
7C2C
0x
7C30
0x
7C34
0x
7C38
0x
7C3C
0x
7C40
0x
7C44
0x
7C48
0x
7C4C
0x
7C50
0x
7C54
0x
7C58
0x
7C5C
0x
7C60
0x
7C64
0x
7C68
0x
7C6C
0x
7C70
0x
7C74
0x
7C78
0x
7C7C
0x
7C80
0x
7C84
0x
7C88
0x
7C8C
0x
7C90
0x
7C94
0x
7C98
0x
7C9C
0x
7CA0
0x
7CA4
0x
7CA8
0x
7CAC
0x
7CB0
0x
7CB4
0x
7CB8
0x
7CBC
0x
7CC0
0x
7CC4
0x
7CC8
0x
7CCC
0x
7CD0
0x
7CD4
0x
7CD8
0x
7CDC
0x
7CE0
0x
7CE4
0x
7CE8
0x
7CEC
0x
7CF0
0x
7CF4
0x
7CF8
0x
7CFC
0x
7D00
0x
7D04
0x
7D08
0x
7D0C
0x
7D10
0x
7D14
0x
7D18
0x
7D1C
0x
7D20
0x
7D24
0x
7D28
0x
7D2C
0x
7D30
0x
7D34
0x
7D38
0x
7D3C
0x
7D40
0x
7D44
0x
7D48
0x
7D4C
0x
7D50
0x
7D54
0x
7D58
0x
7D5C
0x
7D60
0x
7D64
0x
7D68
0x
7D6C
0x
7D70
0x
7D74
0x
7D78
0x
7D7C
0x
7D80
0x
7D84
0x
7D88
0x
7D8C
0x
7D90
0x
7D94
0x
7D98
0x
7D9C
0x
7DA0
0x
7DA4
0x
7DA8
0x
7DAC
0x
7DB0
0x
7DB4
0x
7DB8
0x
7DBC
0x
7DC0
0x
7DC4
0x
7DC8
0x
7DCC
0x
7DD0
0x
7DD4
0x
7DD8
0x
7DDC
0x
7DE0
0x
7DE4
0x
7DE8
0x
7DEC
0x
7DF0
0x
7DF4
0x
7DF8
0x
7DFC
0x
7E00
0x
7E04
0x
7E08
0x
7E0C
0x
7E10
0x
7E14
0x
7E18
0x
7E1C
0x
7E20
0x
7E24
0x
7E28
0x
7E2C
0x
7E30
0x
7E34
0x
7E38
0x
7E3C
0x
7E40
0x
7E44
0x
7E48
0x
7E4C
0x
7E50
0x
7E54
0x
7E58
0x
7E5C
0x
7E60
0x
7E64
0x
7E68
0x
7E6C
0x
7E70
0x
7E74
0x
7E78
0x
7E7C
0x
7E80
0x
7E84
0x
7E88
0x
7E8C
0x
7E90
0x
7E94
0x
7E98
0x
7E9C
0x
7EA0
0x
7EA4
0x
7EA8
0x
7EAC
0x
7EB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000070b7e70000 | 0x70b7e70000 | 0x70b7e8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000070b7e70000 | 0x70b7e70000 | 0x70b7e7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000070b7e80000 | 0x70b7e80000 | 0x70b7e86fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000070b7e90000 | 0x70b7e90000 | 0x70b7ea3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000070b7eb0000 | 0x70b7eb0000 | 0x70b7faffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000070b7fb0000 | 0x70b7fb0000 | 0x70b7fb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000070b7fc0000 | 0x70b7fc0000 | 0x70b7fc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000070b7fd0000 | 0x70b7fd0000 | 0x70b7fd1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000070b7fe0000 | 0x70b7fe0000 | 0x70b7fe6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000070b7ff0000 | 0x70b7ff0000 | 0x70b7ff0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000070b8000000 | 0x70b8000000 | 0x70b800ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000070b8010000 | 0x70b8010000 | 0x70b8010fff | Private Memory | rw |
|
|
|
- |
| private_0x00000070b8020000 | 0x70b8020000 | 0x70b811ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x70b8120000 | 0x70b81ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000070b81e0000 | 0x70b81e0000 | 0x70b82dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000070b82e0000 | 0x70b82e0000 | 0x70b8467fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000070b8470000 | 0x70b8470000 | 0x70b85f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000070b8600000 | 0x70b8600000 | 0x70b99fffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000070b9a00000 | 0x70b9a00000 | 0x70b9afffff | Private Memory | rw |
|
|
|
- |
| private_0x00000070b9b00000 | 0x70b9b00000 | 0x70b9b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000070b9b00000 | 0x70b9b00000 | 0x70b9b15fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000070b9b00000 | 0x70b9b00000 | 0x70b9b08fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000070b9b00000 | 0x70b9b00000 | 0x70b9b12fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000070b9b00000 | 0x70b9b00000 | 0x70b9b02fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000070b9b00000 | 0x70b9b00000 | 0x70b9b01fff | Private Memory | rwx |
|
|
|
- |
| sortdefault.nls | 0x70b9b10000 | 0x70b9e46fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000070b9b20000 | 0x70b9b20000 | 0x70b9b28fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000070b9b20000 | 0x70b9b20000 | 0x70ba31ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000070b9e50000 | 0x70b9e50000 | 0x70b9e58fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000070b9e50000 | 0x70b9e50000 | 0x70b9e50fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000070b9e60000 | 0x70b9e60000 | 0x70b9f5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000070b9e60000 | 0x70b9e60000 | 0x70b9e60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000070b9e60000 | 0x70b9e60000 | 0x70b9e75fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000070b9e60000 | 0x70b9e60000 | 0x70b9e75fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000070b9e60000 | 0x70b9e60000 | 0x70b9e62fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000070b9e80000 | 0x70b9e80000 | 0x70b9e95fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000070b9f60000 | 0x70b9f60000 | 0x70b9f68fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000070b9f60000 | 0x70b9f60000 | 0x70ba05ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000070ba060000 | 0x70ba060000 | 0x70ba060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000070ba060000 | 0x70ba060000 | 0x70ba062fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000070ba070000 | 0x70ba070000 | 0x70ba070fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x70ba080000 | 0x70ba083fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x70ba090000 | 0x70ba093fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000070ba0a0000 | 0x70ba0a0000 | 0x70ba0a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x70ba0a0000 | 0x70ba0a3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000070ba0b0000 | 0x70ba0b0000 | 0x70ba0bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000070ba0c0000 | 0x70ba0c0000 | 0x70ba1bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000070ba1c0000 | 0x70ba1c0000 | 0x70ba2bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000070ba2c0000 | 0x70ba2c0000 | 0x70ba3bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000070ba320000 | 0x70ba320000 | 0x70bab1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db | 0x70ba3c0000 | 0x70ba402fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x70ba410000 | 0x70ba49afff | Memory Mapped File | r |
|
|
|
- |
| propsys.dll.mui | 0x70ba4a0000 | 0x70ba4b0fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x70ba4c0000 | 0x70ba4d2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000070ba4e0000 | 0x70ba4e0000 | 0x70ba4e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000070ba4f0000 | 0x70ba4f0000 | 0x70ba5effff | Private Memory | rw |
|
|
|
- |
| private_0x00000070ba5f0000 | 0x70ba5f0000 | 0x70ba6effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000070ba5f0000 | 0x70ba5f0000 | 0x70badeffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000070ba5f0000 | 0x70ba5f0000 | 0x70ba603fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000070ba5f0000 | 0x70ba5f0000 | 0x70ba606fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000070ba610000 | 0x70ba610000 | 0x70bae0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000070ba6f0000 | 0x70ba6f0000 | 0x70ba7effff | Private Memory | rw |
|
|
|
- |
| private_0x00000070ba6f0000 | 0x70ba6f0000 | 0x70ba6f2fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000070ba6f0000 | 0x70ba6f0000 | 0x70ba6f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000070ba700000 | 0x70ba700000 | 0x70ba7fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000070ba7f0000 | 0x70ba7f0000 | 0x70ba8effff | Private Memory | rw |
|
|
|
- |
| private_0x00000070ba7f0000 | 0x70ba7f0000 | 0x70ba7f2fff | Private Memory | rw |
|
|
|
- |
| private_0x00000070ba800000 | 0x70ba800000 | 0x70ba8f4fff | Private Memory | rw |
|
|
|
- |
| private_0x00000070ba800000 | 0x70ba800000 | 0x70ba802fff | Private Memory | rw |
|
|
|
- |
| private_0x00000070ba8f0000 | 0x70ba8f0000 | 0x70ba9effff | Private Memory | rw |
|
|
|
- |
| private_0x00000070ba8f0000 | 0x70ba8f0000 | 0x70ba8f2fff | Private Memory | rw |
|
|
|
- |
| private_0x00000070ba9f0000 | 0x70ba9f0000 | 0x70baaeffff | Private Memory | rw |
|
|
|
- |
| private_0x00000070ba9f0000 | 0x70ba9f0000 | 0x70ba9f2fff | Private Memory | rw |
|
|
|
- |
| private_0x00000070baaf0000 | 0x70baaf0000 | 0x70baaf2fff | Private Memory | rw |
|
|
|
- |
| private_0x00000070baaf0000 | 0x70baaf0000 | 0x70babeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000070bab20000 | 0x70bab20000 | 0x70bab32fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000070babf0000 | 0x70babf0000 | 0x70baceffff | Private Memory | rw |
|
|
|
- |
| private_0x00000070bacf0000 | 0x70bacf0000 | 0x70badeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000070badf0000 | 0x70badf0000 | 0x70bb5effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000070badf0000 | 0x70badf0000 | 0x70baeeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000070bae10000 | 0x70bae10000 | 0x70bb60ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000070baef0000 | 0x70baef0000 | 0x70bafeffff | Private Memory | rw |
|
|
|
- |
| private_0x00000070baff0000 | 0x70baff0000 | 0x70bb0effff | Private Memory | rw |
|
|
|
- |
| private_0x00000070bb0f0000 | 0x70bb0f0000 | 0x70bb1effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000070bb610000 | 0x70bb610000 | 0x70bb626fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00007ff6ac754000 | 0x7ff6ac754000 | 0x7ff6ac755fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ac756000 | 0x7ff6ac756000 | 0x7ff6ac757fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ac758000 | 0x7ff6ac758000 | 0x7ff6ac759fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ac75a000 | 0x7ff6ac75a000 | 0x7ff6ac75bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ac75c000 | 0x7ff6ac75c000 | 0x7ff6ac75dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ac75e000 | 0x7ff6ac75e000 | 0x7ff6ac75ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ac760000 | 0x7ff6ac760000 | 0x7ff6ac761fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ac762000 | 0x7ff6ac762000 | 0x7ff6ac763fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ac764000 | 0x7ff6ac764000 | 0x7ff6ac765fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ac766000 | 0x7ff6ac766000 | 0x7ff6ac767fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ac768000 | 0x7ff6ac768000 | 0x7ff6ac769fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ac76a000 | 0x7ff6ac76a000 | 0x7ff6ac76bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ac76c000 | 0x7ff6ac76c000 | 0x7ff6ac76dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ac76e000 | 0x7ff6ac76e000 | 0x7ff6ac76ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6ac770000 | 0x7ff6ac770000 | 0x7ff6ac86ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6ac870000 | 0x7ff6ac870000 | 0x7ff6ac892fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6ac893000 | 0x7ff6ac893000 | 0x7ff6ac894fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ac895000 | 0x7ff6ac895000 | 0x7ff6ac896fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ac897000 | 0x7ff6ac897000 | 0x7ff6ac898fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ac899000 | 0x7ff6ac899000 | 0x7ff6ac89afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ac89b000 | 0x7ff6ac89b000 | 0x7ff6ac89cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ac89d000 | 0x7ff6ac89d000 | 0x7ff6ac89efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6ac89f000 | 0x7ff6ac89f000 | 0x7ff6ac89ffff | Private Memory | rw |
|
|
|
- |
| fkgcs.exe | 0x7ff6ad000000 | 0x7ff6ad395fff | Memory Mapped File | rwx |
|
|
|
|
| actxprxy.dll | 0x7ffc48ff0000 | 0x7ffc49459fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7ffc4b540000 | 0x7ffc4b6d6fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ffc4ddd0000 | 0x7ffc4e145fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ffc52cd0000 | 0x7ffc52d47fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc53810000 | 0x7ffc5382bfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 376 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\installcache_x64\baseimagefam8.RYK | 10.00 MB |
MD5:
aeeb0546a3e47f56c8e7ecefbff8126a
SHA1: 6fc862f02851e4e5e3693fd9fc91383ceb303270 SHA256: 8c381934111e5404821f27e5d94a47096ac5f99aa1c6dcd4e4f520e0bff44b02 SSDeep: 196608:uJP0RHR6ADMycQX/vtvdxx5Sg83jC7DtQMp5lRuKNj41gAEjk0hLSUytmKXr/Rse:6P0RHUMDxx5SR327xQseEjkx/mGr/bT |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Pending.GRL.RYK | 14.89 KB |
MD5:
5041e3d628fe6919658d6767d5064ed1
SHA1: c2a8fba25aa392e67c06541eb7b7fd550039951d SHA256: 265c70d81318b6008f3175312138a96df315815a32772e79f8fc4749d7043cb5 SSDeep: 384:/pr6SXH5frirPm7WroYl1aHwJ/BUwncjaZmNuAuC5Cag:AcZfTqUg15BUzOZmx5Cag |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\3\0000000000000000.idx.RYK | 0.36 KB |
MD5:
fa70de4d7d9377605588bd6c66e5152f
SHA1: 027f30f404e4c2cbe0c7e41bb5d39e754ad74364 SHA256: c5242d820de452b6a26fbc0f2052f3f987fbbbc2e47f41f4078bd51fb103a288 SSDeep: 6:wFFdXe36Oo/pf3kJTrMvWdZUzqmFeNMdbXOcgWNECH4XFWK06RK6krmDY:2Fds9S3yTrUWPqRFxbXOxWNECYXFskkl |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\09\13711.RYK | 0.41 KB |
MD5:
46597857f3987020f85d011de7940f55
SHA1: eed0c92193dcb5d45bbd760a9b54700ac8aac84b SHA256: b8658e95bd4fc3f30238b103ede3fda4334e06d07dd9879c6417c509344c2a7a SSDeep: 12:tqD0jL5uggN0xHQW7HTPzdI0XEApKAYzBYFTl4M:sD0jL58NiHDb9dXECKnz+AM |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Check For Updates.lnk.RYK | 2.35 KB |
MD5:
7bbe56b3f14c296aafe31763efa820f5
SHA1: 9d33d0f2ac79cb15e58735a0ae4fa4a615ecb798 SHA256: 0e60775c65fd61a2b9ff457356ac5a4c16b3c0d1f8762c02166d9d07e2ef2fa6 SSDeep: 48:iqwkCB48JP++/GXE9y7rVsu0lPvoKne8TsoWRcT1+9lJ5:iLkCB485+f9JsXlTfWRt15 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Visit Java.com.url.RYK | 0.46 KB |
MD5:
beaaa2b3fcb857d5bab43eb91bef0296
SHA1: c832ccbc441238f9f89688ef03bb0f71e6c74565 SHA256: 63f9d5ebe4b018a9cd185eb85642ddb9be33fc04897f8454d69872255ec809e4 SSDeep: 12:zgJ66Uug4616p+lcVA9zSCMSWZAOUYR2joJYVZIy83u/P:8651Vl1S5xUYRaoJhs |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\260.RYK | 0.41 KB |
MD5:
72e7abe6acf6263232ec086baffee10e
SHA1: d27b725a4445764ca81bd5b38764b37bbad69d68 SHA256: df1562dab7582fd26fee04923b56911cf2aee0f8a4a14b0ad53f1ce8cd691ca8 SSDeep: 6:koxkE+uEbqXfXGmKv7/LKhKY+ngsTZjTZmSdGV1n9Xp9/8IvRIqJuSJ3ycn:YuEbqXfXK/LKhK7ZZm84T9tm8u27 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\1\0000000000000000.idx.RYK | 0.36 KB |
MD5:
b2bbc807102c1aaaed31ed707da44966
SHA1: ff253c60318091a01dd822086f0283829e1caf9d SHA256: 1babe5253323370cfe6543aa70047cd19a877d2610a97286b39a36f016566593 SSDeep: 6:L3KgtzXDRJdQl5Paofxa4G1vmAc7GElxU/AUTG9ctDbFr/DLSr9onfj6qn:LKC7Di5yCG6xU/AU6kr/D+or6qn |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business.lnk.RYK | 2.67 KB |
MD5:
493d754da648468becee05fa07a46491
SHA1: ae1cefc006fc1fabbd86b0bde943165d0bd40bf9 SHA256: 7b8bc1adda7e6b2ed38e3045c5e258439ce267610318715c7ff11cb342ffc379 SSDeep: 48:Q3QUj9BZwXCsj6U9Gkxl87ORNxUN1ZxXa+S92UkAM3NUEVexL3F:Q79Fsb9GkD87ODK7ZxXazkAMCZ/ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.004.etl.RYK | 16.28 KB |
MD5:
0bc9012b8adc1ff89f14d7e2090f6368
SHA1: 12510470f2ebcee6381d06eb8faff893ef5a5139 SHA256: be2c701fa1d88445b8a36998e66a4fdcee2f49520d79ce6b9ca91d57a7041f05 SSDeep: 384:REhiawXEmo46+kj9A/sXrnvBTU/4C9wpoCqSTBziUU4QhXGt:REhkEo6+kRpBnwww+bUt2t |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel.lnk.RYK | 2.64 KB |
MD5:
743748390b196b1b486d22bbd2b18dc9
SHA1: fcd8fc169ea8b41998af9a52cb8ef10d2ff956e2 SHA256: 23790449a8b9068df239b3eea7c7645ce83ac19d3b96ee647692a15091d4d592 SSDeep: 48:QzUWNRjv0wqTiUdN4Tfh94eqji3KbOFlMkBFkovmnIl+iABhIYdDuln:zuZvq1cf34ex6GldenIv4iln |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini.RYK | 0.55 KB |
MD5:
dd5c999be7f824ad0ebdd4e1a3661b71
SHA1: 48ba8b3dbbdd28a2f64343948f352fbe088ff42e SHA256: 13c54f8a55c84c036fd42a3eb4fb761a4136b92ba5a52c7c78bbb4d333129016 SSDeep: 12:YejK+4Pa8zgOcAgs/4GeEh1yzGqd44/Vy5xD0JCh3U:pjj4PadOcVs/kEhwzGqdL/Vy/D0JEk |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Math Input Panel.lnk.RYK | 1.42 KB |
MD5:
25ecc74fb7044b81ebe6a6319952372e
SHA1: 73a90bf2fd06db3a5067ad116482e09ec7c77733 SHA256: 22a4c9ca348b0f4310a46435c68cc936ee832e5a45df73cf6750c548e097a8d7 SSDeep: 24:Vvinu2ehD8ljRU44/JsKnZ/3r+EFkey3v8r2YXhpMjKSstOD1qBkvAKQLExtzgTz:V2uLCehK2b+9ey3vQzX/fuik9uTf19 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107002.RYK | 0.41 KB |
MD5:
30ddb3ccdd57dee40113d5e3840b81c9
SHA1: bd7cc60d19a50106fc2b1a464c13767bb1ce24c6 SHA256: ffbcf59b2d11c80c838366b290753982fbed3c0113378d88660dca0e7042b778 SSDeep: 6:yRXarD71sEmrnwZ7mZo+GqizfpniC0sayZQIksC/gJe8TnfpVXrYHjwM:lrD7100ZyGb1l0spjkJYVXMUM |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Active.GRL.RYK | 14.89 KB |
MD5:
d6cd78d53f8bd9abc44b33a4b2087db0
SHA1: 36ae4597af408101770a063abc4a2f2b913fcdf8 SHA256: 36f9d040b0e73f51105280da5b10e6548cb146a7aa356a6b6bd812e196c8fac4 SSDeep: 384:4VO6Xa3lYQOf8/KR8zu/qbqhRfjRPROdTLs5TY:F3l5Of8NIxNPROhLOTY |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\00\192.RYK | 0.41 KB |
MD5:
2c16b32a5307fedf0b22eb4fea203724
SHA1: a9592e6eb10812eb7479e874b38c5c0c719e801c SHA256: 4190179b3a44e0ea22e1939c0d1711edee68bf7f167ce6106174974e090c08cb SSDeep: 12:uaI18E4ZJErgtIXNoJTsEg5cKrNzReTyNI4b97:uaI1P4gBXbNNNemBh7 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\2\90\B6D0EAFA5E8634A6.dat.RYK | 0.72 KB |
MD5:
c98912e0eb9ca88cb861d4cac0b2047e
SHA1: b2417a25d499a566ecc1fcef67efc50ee718b449 SHA256: 52d53dd35cf35404dbb8f22eb09ab287c7aaa97c320b3786393fc9746d61d703 SSDeep: 12:HA8FWBAi2v5XAazdy9d+hKi2gh/kpkfMZ9pcxYlIhPi7CyLezAnXViY431cq7o+H:3FWsRXAvYF2/pGg9ywIYazBY4Z7o+Qon |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\191.RYK | 0.41 KB |
MD5:
d31b7c50f5190c0f04b1647c9e51fe8c
SHA1: 26d68062a8d00a7642577ccafe3e91df434635c0 SHA256: 299a35c210388b6751d1f6e99a5f28af495377a356c7eed4301d6a98790eddd6 SSDeep: 6:NF2afZpv6vOFXZiV/2j4btYqMpdoJ7UwqY3glza7SoND6cVWvOoCbx:NUupv6vOdZ2ztMpWUw7386S0pW7Cl |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook.lnk.RYK | 2.63 KB |
MD5:
4a2fe8d02155ab34d19a24400754ab4b
SHA1: 80b3835de18a451efc0887811f3481bd4f697957 SHA256: 681f8b0265970b205fef7795d454c42955f5673419eae60078bc8e1c70f3851c SSDeep: 48:sl5Y/QA24+jRH4IyXx7d3pV25sm26GyNZO1l/QwtE+bsx0jIvmAy+89fN68pH4:sIo7NRHxyB7d3b257IkZOnVtE+bsxUIB |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint 2016.lnk.RYK | 2.67 KB |
MD5:
91bf5685a04185260131c761f93d5130
SHA1: 49c67b611b2a6e9fe9c318ae5d791c95e5c788a2 SHA256: 39899e2161485ab1ba4619f4a7291d797020da0203fea57fded6291dab6afe1c SSDeep: 48:rJEYtqMrjxcdms/myP3w8zC4fBy+kJn1iowPu6SdnDQKkLaIZu:rFzr17s/9f0l91HzbdDQpLnZu |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini.RYK | 0.44 KB |
MD5:
bc69c28baa5e49d4293d9d0057f03d76
SHA1: b640ee7bdf0462f175966e22b20ee9901218d637 SHA256: 03928cccf603996d30c5794ecfe866b5ca47a02fc6443c0f6800cb7e21bda43b SSDeep: 12:WRd/ijFtVMzfyzZ6OO+Ec/o307ZSuZrN61:sd/i/q21onc/A07ZSuVN61 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\328.RYK | 0.41 KB |
MD5:
d2484aee4a985c72fc674b30309c26bc
SHA1: c78b467fc0eea444ba5f5c7327411eacf190ad72 SHA256: 51ff3c59f79e4681dc84f2e26393da377b49c1b4c7076dc0a94f3dac07d0de32 SSDeep: 6:KqlSwKxebVpTzAnK4jqEhK/+l5w7UyggyhesxGgcUTmQ/wMgd/GVqnnhmP1P9TW:x/y2PsniXWl5wwgyheUGgce/ogWGPVW |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.0.xml.RYK | 2.21 KB |
MD5:
98e1035080b06e099c5712789335c07b
SHA1: e867771430ec510ec47dc1aba5f32396e1e5d3c3 SHA256: 58eb5e53da49a8b038386ef16e4f87fb73b95c6d6a6ea9416cf87eb4fa18a85b SSDeep: 48:0SfJ93ywxa3omzZKqFl9pBA1bJ0J23zB/O8GbSSLMeYXwWUQPCs8:0uZa3omzZKqFlC1ba23dOj3aXNU9 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini.RYK | 0.46 KB |
MD5:
c24ce4669db6abfbd3d1f2cee2a62800
SHA1: 013a5510391197bed2c129aa97386200a37e3a35 SHA256: 17ccaa4ea2a3a8f3c4f73b0af42cb2bfe7fd8be4ba1bd96c735ef952f0b95980 SSDeep: 12:obR5ADhEI/nv79QjIJeNldtnzE7KjVaKKyOHGFD9BVmv:obR5ADhhbGjhldJZKyOHCQ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.bmp.RYK | 784.33 KB |
MD5:
534719e59175d3d5b508b7ec452df835
SHA1: d2aa3c0e3da6869cb4cdb2f4b361507a1873e014 SHA256: e0b12b740c7e8f5de482268b41f139d7818f0480a234044ff7f2e08f892de7ef SSDeep: 24576:VVJdqhi8ja72LK1aKksNjhJ0NTCVNJonHU27t:TJUs8jSksRvonZt |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\2\0000000000000000.idx.RYK | 0.36 KB |
MD5:
cbefbfe9a59df4b4878f66e803867b87
SHA1: 59e43961eb852905153a8ab86a3519efcd1af4d7 SHA256: 89fdf4190cbda859dff79a65fad195e1dbfae39991d01bc45e611dcd3b43930c SSDeep: 6:/eZ95C6VCRnAJ2V7vSdJ1jD/OcQwBozmkJgktJhtWLv1ElGVsmsBLiF9:e5C68RAJ2cJ1//OcQwezm0d7WLWI+cP |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Search.lnk.RYK | 1.83 KB |
MD5:
544a657559674c584cdc3c2bd523e7d8
SHA1: 8fc4121ca8f733753aa8e713ac47acea7f9fdfa4 SHA256: 4fd4171a12aaf7cbb53bd3b4312b6f3e32605e143d0a15e4e0228452455950e2 SSDeep: 48:QeCQOJ4ENhQjnsx9oFdZoMLnAgTgvwjljT4WL+b/xt:QeCQ04EinsMo0njTEwjln49/xt |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business 2016.lnk.RYK | 2.67 KB |
MD5:
e93c467563a5c1b585058f9ea42bec11
SHA1: 8836c96b14ba99ebea539f64b4af0bb5c9c9ac04 SHA256: de51b0c5a4ed774bd0df4f331424da04fa620277e4bfe8f30996ac57dcb7a43e SSDeep: 48:XujbxqhwboX+EROQnSn7bkND82bpHYJSyDHCCBjcW5ztOvKom2dbyfwOK:X8lywboX+KOoSndHCCQm8SomAwwOK |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini.RYK | 0.64 KB |
MD5:
285f1fdbf50d017a136317566bfa0910
SHA1: 0d4ec4ae51c1be77d636f22c62ef82c8349f7def SHA256: 18a6eaeca5aa5e84c8a9d736e1af77de3551cbad760a221d72c042f564820870 SSDeep: 12:ueRx6xI4J6m24kheC3l/9BJaQAgH6+NJBT2ycZxhKz+:um6hnkU6jJZDH6yP2lZxv |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.bmp.RYK | 784.33 KB |
MD5:
130ab26a71550e72504454c6b101775d
SHA1: 40ed37bab87906fd1d85e06618324da0ce0b0735 SHA256: 1107c8a4ce3391afb54b96fbbfc273a4a67575e9edb4504280e146bb6b74e1c6 SSDeep: 24576:vFNxiaE4DavWTqwkYUy6QTpY6+OYr6ZfS5ZZe:vvka/hT+YUy6Ie2ZYy |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-48.png.RYK | 0.77 KB |
MD5:
4899277da865fea0f9259b38103b1c23
SHA1: 99300ece4f71ea86af836e64f014b03b0bcb44fa SHA256: d7381b0dab3352150e33ec23abc4d2140d1acc762998b7871320b573e6c42af8 SSDeep: 12:Msii0jHkns5xss0mxKqhhMomod9dT02jbB332VgLTdwzrsJe/siwPeSLoho0Ypvw:Wi0jEns5xtQq2K9dJ2z2e0i6IKu |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.011.etl.RYK | 16.28 KB |
MD5:
731988af7970721524b7966b033490ea
SHA1: dec3b3a2a1c44fbb94863ea83825a4dfdb407eed SHA256: a5fb0a0632f68014b5d427a791c0f7dededfc7a20d809384d4579127fae56fca SSDeep: 384:tLPrx2JDqZOwWsv5mbXuj6f9R7nnw6cw/P1BBDosbWv:tDrxaDbwW+6zPzcwVBOcWv |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word 2016.lnk.RYK | 2.67 KB |
MD5:
80f580a63f427722eb20091f7e5a3fd9
SHA1: c1988d48009514adf139480a9cdc72a8a139b48b SHA256: aa6df18eaee87e73e130ad711db5dabf770bcd2e69412f1bb7067a42b6f0b680 SSDeep: 48:x9Ma9yOfBYbgDN1fqbzc4ltctP16upKjsD3tvjkBsIlMUayPnu:x9MalfBYVutPwuwo1kewC |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\266.RYK | 0.41 KB |
MD5:
ff8623561d7d1aa08816a8bc58652cc0
SHA1: 6a6023ec7f006c142a291db7d44333475357d205 SHA256: dfbc3be98b1f8ae2eeea4a39602f0a905918efd8bc2f4d5860b1ac676c08a4da SSDeep: 6:eIsm4kWZIVGrrXOkZ7Mm1Ludnhd/f+DIGIK1khSpkXNX/uAdacpbmouVhGSqdbM6:exQmrOkZMNdD+DIdSpkhuvQbL+4ZM7ls |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint.lnk.RYK | 2.67 KB |
MD5:
197ac726f866ba05bb3d8555a21698e0
SHA1: 5605ba77767a068f176c13b37336b173ebf89e50 SHA256: feeb5fbb4711727f4c1024e5fd3568e88951237e3f4b4eb24a770e8eaff9db15 SSDeep: 48:W8f8kbfEmlcposjaFU7l1yHmNIbdTgLnVY3GErL9MZvLMG9:lf8HmlcLrl1yHmN4TgLnSrLAL7 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.020.etl.RYK | 8.28 KB |
MD5:
81208c2cb8b7efed157db359f2493927
SHA1: 94fabcf3bb1541d0eb16dd30636989ec4c336c35 SHA256: 8653b137af7cf833061d813617e9de5017b26fb9fd570510df52d489eea2e61e SSDeep: 192:xoyN9Ix2BMYANtb8WibeWfP7GDl9PHqNh5ts773CAiAP24gX:xIcBfANJGblrG/qBts7G3AP0X |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\Acrobat Reader DC.lnk.RYK | 2.36 KB |
MD5:
fd8cb88bebe16a264f2f6f3d7d585cce
SHA1: 6756dc276f205d117ffac3b99b6f286504588b62 SHA256: 98b6a9d79a66d8c2cf8314f2e01d8fbb186ec6dbf59c9ae83155842b484f4546 SSDeep: 48:M1OT/1Jb1+pGzAjBqxMifdG0zf/paZLWRm2/KAVLSc:M14NJBXzY+d7zHYwRmwKoSc |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Live\WLive48x48.png.RYK | 4.83 KB |
MD5:
936114b384b6c94a7ce2b45139ff8a74
SHA1: 651bcbee6f518fb5f4111d8d5f13dc6cb937f374 SHA256: 309d174ae68f33ffe642a12de1986a91585ace1113b99b02113fbf0e112dac72 SSDeep: 96:ejXBdc4ZqpU7BR36UU+cRXxgMLcD3dfSoK1O/vrozAzgx6X0yQzB:ejXBm7psqUUfv7LifSoKvAzgxM0nB |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini.RYK | 0.64 KB |
MD5:
3f22e9ab196c6300de295642ab200c4f
SHA1: a33ef5d217818030d3bb6c8322b543f0f357c6d8 SHA256: bb83c9e4734946424771c4eec114ecc27bb56987f67139aad6d1049113b675b8 SSDeep: 12:RyPnbmdoVXf6yX3TZvMb0TNGLFGwWwtLDxNBRAG46w9sFOi9Xb07l+L7e7bvulm:enbmdoRf6yzZUoGFGwWwtLTBRwQX4we/ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Steps Recorder.lnk.RYK | 1.35 KB |
MD5:
22fe18e0c1456b8f2f1f58d029720d35
SHA1: e1bba335bf0367b9989315d545e10030a9c2bb54 SHA256: 11e804091ae1512e4827446e7271dc005bbe172be10cbbb2efc563b025587774 SSDeep: 24:NyxcbpajYmvw5qQcZceHHamXpkj0u5JWJLxOFmdahpR1VHKGxrPYloNLgD60R7:msp5qHZcenarjBaLBdah/vrLIoN0e0R7 |
|
|
| C:\Boot\BOOTSTAT.DAT | 64.28 KB |
MD5:
ee3c7477ccb7d145212194725cc07079
SHA1: aec1410ecac866150ee3de35ab58571c50beba3a SHA256: 44ce14778dc497ed692f430685e843b095b06431846849fdcb5a81b3b5914753 SSDeep: 1536:Yf8eXrXTgpw2I5jJK+tqj2s7lCLHyPz+mW4Co9wLXw1m:DeX7qqjJkjPlCuL+mWd |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\dfrgui.lnk.RYK | 1.41 KB |
MD5:
060643a6596b408994ade1dbbb0ceaf8
SHA1: 98b7017c79785ed6e6dd68a09178fa0391e9d6a9 SHA256: 9df6d74d404ed4ce0052872764aa017a2952a4dcf69914405fc94e14b26bc3c5 SSDeep: 24:ZrUoXUNUNiiGxGFVRwNqw3yg22/AETrfRGqf5spyl+0o0yWoLS643D:ZwoXnAlx4wswiV2I6LIqf5sEo3kD |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.001.etl.RYK | 16.28 KB |
MD5:
9bb9b7cf666c6f73d185ca69db3e1a44
SHA1: 26dfa84508ed22a78272bf985e96a3a98fa3e551 SHA256: 4d19d2353490bec75d6904706dcd19b516bd16615bc1c6d2938f2e74656b4ee9 SSDeep: 384:QMRRB6uQoN+58ag5zct0tnd2eJlkJasXp50QBVJi62Z2xt//5LnPM+L:QqRBTN+58aSq8DGp7Bj2UhhLZL |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.016.etl.RYK | 16.28 KB |
MD5:
a348324e7650989118e0207a3a5b61b9
SHA1: 2b1ab8f0e394adfce1dcbf0e0ef75aef710692a2 SHA256: 4f508fe19f292daaa76d9c569607518bab1dcf657bf6d34e3ab63dcfe764f000 SSDeep: 384:6mN1NOS03T/nRumCQNrqMwvETMxWRi6lhAebdA6GU:6mNl03TJz3UEKWjYemo |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\09\287.RYK | 0.41 KB |
MD5:
1be7a89964ce578fd13124cb7fd87655
SHA1: a354ef86d45bcaa222472d9eae07d9e93338a4e7 SHA256: 60634bdcde7085271f0a2995f07816bde8727d078fc5e8de6bfcd57bbbe86829 SSDeep: 12:yjH0GTJgTXV8pjhdXVDcIadEdMBc98WTXC:yfJ8XgwIlywXC |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access.lnk.RYK | 2.64 KB |
MD5:
e4f239f2ba44e7ab57eca2d8eb406707
SHA1: fea3aaff88008ccca30ee9ae686f71eb5a08bfcc SHA256: a96ca28e12da38b543f464371f08988be133e5f92e6031511c0503d76b0ed2e2 SSDeep: 48:bznoj6bcacGU1EtUJhsSWR86zPEM3L+jqL3Ze9EX8sSDcNrAsIBiCVGwv24kY:/25JJhRURDEQpG5HBieGwO4/ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.014.etl.RYK | 16.28 KB |
MD5:
917e6701769f9859a3e9b5afb57b2f6a
SHA1: 37997c09be8bc754f799308b353b8bbd6532ec02 SHA256: 87c9587130e4f6a664c1b1f059b4a6955dbcc9a483c1170163b5c1c9bc4932b1 SSDeep: 384:MgAVHMTVkoDz4bBdCVE/atUS2/07gFSiMU7tzb8ykgAHrwo:As5ktzC407OSitzigod |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneNote 2016.lnk.RYK | 2.61 KB |
MD5:
7ea2d1ba2d43cc1eb59119c2de1e60d5
SHA1: 218576f789380a07152b02bda8f185779d33b220 SHA256: 0c71d383d6cfac94a36ed46b4627a8a88d529ce6d3e3e77a2dfb4e84c676521a SSDeep: 48:f+l6XgFTV5FVM6GwLmprlEkCZ33EQDWOLTkTR4/6GCP6tnssMX8PQKqb4bb0swt1:fq6XgZVzVMKLmpy33/DdL4R4SGS6t/pm |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-192.png.RYK | 2.63 KB |
MD5:
abe2074a8c416fd964d13ff973b97368
SHA1: 8ef8b76b4af637e0073d6ebad3b68f90e3b1aa40 SHA256: 8046b205b05c1d37a7037d1ec8c3bfdd35213e33cb5e70ceab1d47b57b6ffbae SSDeep: 48:/22m3s7WE2hWxoGEW6Fih9MfeqevKO+r+KMvxFj/+G+z6j9WsyXi0OHFALvTDDS:/WbrmoDU9MmqCKOBKMpt/D+zG0Xi/HmC |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access 2016.lnk.RYK | 2.64 KB |
MD5:
0932f2431e40dd3ee16e2b5909a2b1ec
SHA1: 90dce56c12121223b9b2e034f2749aca671195f9 SHA256: 2781158908943c3ba960e25ec8b6f69884066b75053ff1c2783c912754ff2b84 SSDeep: 48:oBXk0VjFnkiUfnMEo7fQJLaE6vjtyakNN1UGSM0keeKYn1dkhI/iYw0x3:qvlLUfnM17fQJ+vZyaYFSjeKYnAhIa9S |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.008.etl.RYK | 16.28 KB |
MD5:
4458721620302e1f7cb2e08537464d27
SHA1: 9b51efb587b6d1537e40767e09c33cbc6949cb7c SHA256: 37e8e610257f74559d0a7b2337582b6021ef21b129098047bfc8e1ebb27ead72 SSDeep: 384:0aZ6eecBNafXyCHYqoMi9i7NhpQSFAMBKJ7IYSz1hq7SGyfDkq:0aY9eZCHY7Mi9Ka7lSz1hq+Sq |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\13\278.RYK | 0.41 KB |
MD5:
cfac14186d987837714f3b6a4dbb65bb
SHA1: c92b3dad06af391babd7dc9d790582f4578cc74a SHA256: 629c68a983a6cc03c75ae372ac2017fada00acd0e00a0ce5714ad4054df4fc6a SSDeep: 12:nxAxOlUupOd4U45/zSaBdJ775zIYhSCV5wtf:nxAE3oeNppBtMYcCryf |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.010.etl.RYK | 16.28 KB |
MD5:
537a8238742c34050a7f964823a02709
SHA1: e39ab44ba4cb71fa87f59082f602247d8b4159c9 SHA256: fb93092ecc6165cd1bfa0036d8abe56151f5d8e7be05abd69af6c6be00946b69 SSDeep: 384:uhqTYgVeyD4PsTcp+i7bxVZQnNtRwu6NuxLz7HR4:bTlVxaBpl71QnNtnGM7O |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\06\13710.RYK | 0.41 KB |
MD5:
b4db030c2e904c9fda241f34990318dd
SHA1: c7330022813a8f80ab1957c5892ce1493cd522e3 SHA256: 3946e95c16a5ba78190a856c28459fa9e27b65e6536e0d4f3bed736911d08984 SSDeep: 12:pe7zd9i8w/xtI/+qXQ39Om0MP7a5wKvqaGrH+dZsL05O1AH+:pen/twJy/+CQ39j0Qiq9QaoQ1Ae |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\13712.RYK | 0.41 KB |
MD5:
58fa4680084c67457321a9700c32c8c7
SHA1: a351f269501c30aec5ce6be29c4c238989c0d201 SHA256: 48ce45fef456744928be378278ae4ffc9bea7ea6660dbe6875fa72e505a6b229 SSDeep: 12:tEfMI2uWvDhr6iDJ91iJeN74aSVU9Q/hTjv6s:tEU5uWvlNDL1iJeNkaSVUm/hT/ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini.RYK | 0.44 KB |
MD5:
828fcaad5d68f00b8529ccdf29c9374c
SHA1: 536ab2655f8edf3b0bae2cde80ba14a1a36d939f SHA256: 9db1c9c6e5b3d91532837183406a04220f1ac1c9c2ba5d3dbf13b39bb9377ad9 SSDeep: 12:BDxCp6l0xt/DkBvhx0KuIQoUNT9Wni5bL:BDk6ut/qTuFoq9WSL |
|
|
| c:\programdata\microsoft\crypto\rsa\machinekeys\08e575673cce10c72090304839888e02_427a1946-e0ff-4097-8c9e-ca2c1e22780b | 0.05 KB |
MD5:
93a5aadeec082ffc1bca5aa27af70f52
SHA1: 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 SHA256: a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 SSDeep: 3:/lE7L6N:+L6N |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\setup\refcount.ini.RYK | 0.30 KB |
MD5:
61bf1c3a86cab5b9d0a9945bc3dcb080
SHA1: a2bacab2c025726637e77d666245690987ce9be7 SHA256: cb237247ed1a6e9e166fd5a25c8565f38ac49b6a26869785cfcf181f33b8d67f SSDeep: 6:Lgs6SbQEO6yPHnQ/BhxreXHFn8Ls9p7oAqxWD9UEpsAPs5opFe1gU8uD+HC1qX5m:Lj6SbQE2vQ/A3sq7okD9xhPs5oK+uDT5 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\04\259.RYK | 0.41 KB |
MD5:
978b748375dd4c4ba4a28fa6d02b3478
SHA1: 43ac75befd4749baa672dd7a28f4585a05fdca72 SHA256: 377bfd83ddc7b50b817e3cb5131ff9186a0f92c8f25b6c24226bf16eb121af11 SSDeep: 12:8uxzufL9sBL6TsVi9cSYu4SvjWp4lrMA8IK+oL+dz1/3URK/Hn:nxzuj9sZnVecBSvVWIlkeqRK/n |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\193.RYK | 0.41 KB |
MD5:
5ecf0a864ebf5cf90a1cd8cf70422380
SHA1: b37bc2464346201e36a82b52bb6c1ac01a4abaac SHA256: 053c774ab01dd685ab88d152d1aed295a2bf5f0d9702a3a794c99803bf3b613b SSDeep: 6:Ecoc3SJpZGii3fjpSrseaQ7nO9HftP1Pu/sQtmM4c9AvOsrQbcjoS2LBMSepVCI5:3oc2ULvjIS/ZEFm+Ze2LBMSep3oOmG |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\03\324.RYK | 0.41 KB |
MD5:
c5378570aac28534463012e399721865
SHA1: f2c9d66c3aa1756ad056a50ccbe53cc42f4c2183 SHA256: c655dcfa93edee160394f7779598767d8fb499ebdeb9d9818cf5a96d2793317b SSDeep: 12:dkKn3kXQjrzDy3ptw/K+LypfolpcUGCmQsDsB8:ZnlrnyTCypfqHGCqL |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.007.etl.RYK | 16.28 KB |
MD5:
a1494062d9e39ad5429810d3b1db1535
SHA1: 71457a5c0803ee01597486a5e43d2d7caaab940c SHA256: 7171f959b71023acf0bd42f840a521f448bdd215289e75642f8a8b16e66819b4 SSDeep: 384:f6cvXxEY8MNZ2xaOemRcHPRXbYsSsFhaPIsar2n8KrYutlk:9NZ2cOeKsRXMsewsU2n3rJtO |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneDrive for Business.lnk.RYK | 2.42 KB |
MD5:
8d10727ce5eec2497f7c4c45a2a9ea16
SHA1: d53c8543b9d2c784f459607fddc3b224ce474d15 SHA256: 53c6b1f52d3d504ddeef3dde271666111619bc4b55d0c85bca3279ed92e56496 SSDeep: 48:f0to9TdVHa2BDAURwdVuRP5ruvA/h0tv34MyGbiBMpdTBk/RIGrvFBFwktqsfvG:f0toFLH/DAU+udkvAJ0hEKxTBkpNrvNW |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk.RYK | 1.60 KB |
MD5:
9ef9eecd22e5d3d46807386d5974a7dc
SHA1: ac8d2aa103b343896a305a9bb8ab9fea3b5b6f32 SHA256: 787e7106a6f60741010bd7cf68a4ba2431a33421171abab08ea840dec3f33cf7 SSDeep: 24:ZoE4mRN8OyR86ba4Zi94tyBLrdvZrX6gP+fF72XIjmzXjdCiNiDTEwxXJ03TYLoR:KE4EN8OyPbZbgMgmfBEfjBinEyXJbosy |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.015.etl.RYK | 16.28 KB |
MD5:
a815890cbc7470df97b220348e80cab2
SHA1: 222bbfdc7139cfe81915eea6bbcb59131670cf10 SHA256: ea26fde02e4f7f1d76f79a9052fb0c6b537a18c435b5348c991558a8442d1bf8 SSDeep: 384:3UEVTjzGa7GH6J5FmcI+gOX95YFiNYZlw48OdcNOJl:3jVTG3SAcI+l959Yrw5O+kJl |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\271.RYK | 0.41 KB |
MD5:
0a1701d57d9d3cf27e80fb6e5558d6b2
SHA1: 357753219004748abecaa009ce1a32366d78f5a8 SHA256: 16f473be00daf2e1b5774180426f239796b421992deceeb5a86d943c15572ea1 SSDeep: 12:5VLvITbEB9x4x1VNap1fFfoo8yvaBa/G1mehlSXLsQn:bL4bEOVNaXhrl/cpOso |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Visio.lnk.RYK | 2.38 KB |
MD5:
430ded87ea857f3768a236e6ec8ad2c2
SHA1: dce0b9dd76fbc8d41e8b24edf3e074a8052e11c4 SHA256: 6ccad8028024f7896d6ce88e7fe414d84d429a520cbeff36dba349b4e3f98958 SSDeep: 48:uIPIlkVuP5S9CKDO32rdwNJO8EdiRAnkxLJhEkcr5RBmy:uGI6uhS9U32rCJOZ8aktJGk+5Cy |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\04\261.RYK | 0.41 KB |
MD5:
ee372d866fe53d0e22189f564ee987ed
SHA1: 8886bb3bbca68330f2468192e206f665aa59fd79 SHA256: 20d29d1444b6650ecbaf440824cb3ad61de1088d2bd108409cf57863041d1fbc SSDeep: 12:t1T7bUrUJjYeVVKAUc5mjh7sOerPjJ0iyIoFeh1GzX:t1T71JzVP5mxenJ0iNezX |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word.lnk.RYK | 2.67 KB |
MD5:
99ddf05a02ac05de1e5162f7f22bca4f
SHA1: c3d6fbf98c339271afc11ac466cfa901c31ea4a8 SHA256: 16c3819fc0bcf59e56a30a373a53b765fd451e4f2677c9547f3caa63c016ff56 SSDeep: 48:fkXKhPoroSs8J8xF4Uk3DP9y3Onf4WBMSJ9WwOyLd5B65XsOgCiZ5N:cMgrG8OxFa3DPo3wtBMA9JOyLdiBsM2N |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\12\194.RYK | 0.41 KB |
MD5:
6f3f476fdf0734f0e79e3cd9fd045a4d
SHA1: d782f0df680f210881cd38c2ab9f764f1396fc18 SHA256: 49c1cc453e433c3183b490a5856d586ef8aeaf2f185cb5d824f62341fe90ba08 SSDeep: 12:4UJZ6EV6IhW7lj/Rr4Y6fsnUkJtjTo68njn:406EVSlzZz6fsnUkJ5UJj |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini.RYK | 0.44 KB |
MD5:
74814d95e0c73b784bbafab922d337df
SHA1: ae02dbe434ffc6bc5b9bc078a7854bb93c31efed SHA256: e32f6df0408394ed9cf54f10df53ac1e5e8539ffb606cd38157b1176375ab1ae SSDeep: 6:B6Owoc10XW32WUce7GKocEnYnBYz3vpRNup14/Korqf2p147FzHRgGD2cC3BbwoN:B6O3XQUzTnBabIb4/KorkS4ZD7QqsGJQ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.018.etl.RYK | 16.28 KB |
MD5:
4169042795ac82a916d514b076e5ddea
SHA1: 289440e242b57f009e515cae25b376347af90949 SHA256: c8dab05483308cef0afacec60b7b3d3332b509faebf8366856f18b96d83d0e2e SSDeep: 384:ecKBgCbXDtYgvai3jC8dgC657b5UMKZD0bIbyJtKv:ehm2tiNC47bz+cKv |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedScenarios\Windows.Uif.static.RYK | 2.83 KB |
MD5:
6cefbe21d2fe37772c38f8703fdc7d9d
SHA1: 6a9c9383b773990c85d78cd9980921af2a9741c3 SHA256: 5563441cfa910cac1c8be72261a9ad8c625f411d0f057ec055284a7af600d391 SSDeep: 48:WG46EDS9SslfEzY/VL4H520Chp06XIhSUm6ONXUDDSFOjVIUJu5a40pDTcEBKOOo:54VDSL0sLII6ONXyJIIu5a40pvcX3JM5 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\195.RYK | 0.41 KB |
MD5:
79023922cda2bade4cebf3f5b633105b
SHA1: 8394074c5e016d2bc32b9cb2074a811f5bc6378f SHA256: 85a779692f98352b90a756526a6bdf3973bb2bb4eac1219bca283b0a43d2a341 SSDeep: 12:MMOu3jTP4uFHPYmYmOEVax10JC4g+PT5yi:/4q8nL10Ut+rV |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\198.RYK | 0.41 KB |
MD5:
1a05b7af1cbe702a53c90cf011423c26
SHA1: 6fec8ba38cbefb44d2669ca7e2fdf0ecbd9488b9 SHA256: 48a46866c6e720d1a9165224dabf81d793ff47fdb617470676d6af3e6951ef1b SSDeep: 12:vvXvsG+hxRo4HvDyS1oLLDtfuz3b/BeSPzGybIUn:2hxfb9oLNfOM6GybB |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher.lnk.RYK | 2.63 KB |
MD5:
ad1f6a4e1925d09743a103fa6106682c
SHA1: 130f93d776f022fda340615c2d556369c1aa52f1 SHA256: 249dd4f7ceeb9741f16388acee6129c03d443bf00d970dae2b0ef606a4cd0860 SSDeep: 48:RvNnfaSU1Gp7ukV+nZhkziwoc8exgpwrJ9XTPTZRk+99oZcV:RVnf+GpCVZyziwUHcPTfLDoZcV |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Immersive Control Panel.lnk.RYK | 2.56 KB |
MD5:
db64cce5274accb4d563fec45287f918
SHA1: 078834fca5290e21a18420c5d582b0a3fe97ab8a SHA256: 8718265a8ef7e7013ae317bbed1eb00b116ccea71c66de59e403f8eef36a88c5 SSDeep: 48:ndk0NBjO4JYIJY5Zztgm1wzNNywB3WOels0EOnHp8A5xZTKo:dZBS4yIJqZZBwBNywB3WOels0EevdKo |
|
|
| C:\RyukReadMe.txt | 1.28 KB |
MD5:
55b3bfb09c9b34a5800004bbc9cd87d7
SHA1: 43fcc0be9f710cb7be8358908127cb31753f38dc SHA256: 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 SSDeep: 24:iVeUE1sLlHgPsoWIeTt2Ww4OFGdqvWDbbOyxGSConbildyspzRC9XYcHIzDjn:xUE1sLBTwx1OvblglobsdxudIzDj |
|
|
| C:\BOOTSECT.BAK | 8.28 KB |
MD5:
b0b4b99163599acffb8aa5f7299f553d
SHA1: f8732a3ecf5425229c3f582cc0874657f9b63f57 SHA256: 5a9f513b0f92b1d7db8287ac871830ef234202e415d2b7ec0fe5b35f605cc983 SSDeep: 192:LgktNgEGM1HIuauqva6JomM4ozAWHsuecTpHINH:Lg4uEGMpauUMpxreclHs |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\XPS Viewer.lnk.RYK | 1.38 KB |
MD5:
29137a89f232c70d37cab8fc3fc86631
SHA1: 453e25a226a4cde70ce6514744d32d153e50a7b1 SHA256: 0b07d67d501daf6e9640bc88995edbf90f096a571533c8d5f47b00ebbff2aa97 SSDeep: 24:DopD/CGOxm3XYk61HgDMQsPujHz1NMpT8VoyYDxaRri6wfp/M1Z8QNGIMCTt0f1V:siDvAwuH1NzVtY6wRRQNGIX0f1A+gu |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\22\323.RYK | 0.41 KB |
MD5:
500557235213a0179b997cc69ff86d85
SHA1: 899b3ae875788e154e5aab79a12d101ad9c2da56 SHA256: 3c6e2004f1764756400ba1751cb5fa669f9ec0bb55ecb1ebd108148727cb482d SSDeep: 12:4/2skAZAnLOc5mih/Xow0+x1A37QyRlvZ+:4PpZAnLAo/XowKTvZ+ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url.RYK | 0.46 KB |
MD5:
1e21ac75075377cc44e12b34b7a59611
SHA1: d722aca224042f5b327a38851d3ba8c8fcb613be SHA256: 91a3df9fa038193f7c5438b901e6d72118d3838d352197df97069f4de96e6772 SSDeep: 12:vJpQJ+KaF1c4a9n1pLgs+2Ex1VJevwEz8yR4uQRHZymWR:vJprKaFO91pLPg1VgH8VRHZymO |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\199.RYK | 0.41 KB |
MD5:
45cd1b02e4d49f129a485c08e74655ba
SHA1: f10e2876a5cbe6528c0cc4e2a4d9cbef1036ee89 SHA256: 64da9b7a9e8798e35d34f5e282a15a03bac6f925f475310e0083265fc92f4dbf SSDeep: 12:tZk58gB95sNbw6GYBFsGz1Bxe1Swtammxm:o58oew2F5U1N4po |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\11\200.RYK | 0.41 KB |
MD5:
4abf4e9138c24c9f866ad0b2b08d1b79
SHA1: f5ef537d8a534b01322bee6fe940c437e7f31347 SHA256: 732fd9e984ece545a711c3b9d3c65920f1234d7f163227c19f482f57b11997f8 SSDeep: 6:ihxDMfV2Jw2OBs9BJT3P66Zmal6LJjkn7YavyC8EggI6kA7cuiwCiK/ouVYRqgOK:CJMfw3OBs9P5miBaCaeihiKNVY3OTWV5 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\13719.RYK | 0.41 KB |
MD5:
ec1b9daa8220a41210f4a03bfa4e9899
SHA1: ce50415d0beaa4a95a0c59bd2ed5e9942607c6f1 SHA256: d11e67771f7b4952779275f22ede0cff93af908e4221aef16117d5891666c3bf SSDeep: 6:w1rhcprRQ0PGkPggbupoBwwaj/OcubwpHkzw1Y1vZ+1DzGiWLGeq4zrZpRWKyn:w9hclRQ4gVoBwwa/9ZsZiv+ieqgnRun |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\300.RYK | 0.41 KB |
MD5:
49dd7d0937ccb31de59125205876af8c
SHA1: f24e8edde0347037716ad99d95b8bccaaa955657 SHA256: e5037c3c62dfbe5ce744115b6bc086263640868133e986c77dbfd6d2d28b7e72 SSDeep: 12:VfIXpe89SxMw/satlDFNkVqH2xys650fE:2eHfsajDFy+2xys6+M |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.009.etl.RYK | 16.28 KB |
MD5:
07b60f0eea653e281b3e71a395ccbc32
SHA1: 532df42548c0216d2c13b7d4e991c1ba453edd3b SHA256: 36259de763fb60080a0419d4767000bbb378691ab559852bb9a86c366a0fb42b SSDeep: 384:FFh2jNt2h6+TQXd0cRrImIIwU4pu2xgZSEVA6tLdDDphvZplG9:FL3h64QX6cdImIIw3puWySEntBphBe9 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\2\94\A75BFDE52F3DD8E6.dat.RYK | 0.63 KB |
MD5:
c6411616238c7a68b1a0f53cc257b277
SHA1: bef61368a3302e4afabfbebb14ee026eb3301aaf SHA256: 3e2c20038909cc2da93374cbc0bbae9ef862ba0d489d52b3d5866c3d667b830f SSDeep: 12:vv3UD9zSptSSe239Es+0WlX5Fb4m51p9TXZa/5ZynrNGwUBdHHsCkJ7UI:33UDNSutgf+ZX5FcS7tXZaxZ05GJdsCW |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.019.etl.RYK | 4.28 KB |
MD5:
0ae393b85af97c447d750fcefe66934e
SHA1: e4cf1596e475197508f1ddfc25f625f466f03c15 SHA256: 9e1af182644e3cee8f710e77e63e608814d1d92d3cb354b8aee1208707f96948 SSDeep: 96:nlCd75XsfQbmLV7L9jE6uNPgaAAWjcqVQhYVhFfdHlS8Ffnl5:lCdGfIujEjPqOh8jVQYr |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook 2016.lnk.RYK | 2.63 KB |
MD5:
1fd9867683e75574c9ad550399ea36be
SHA1: 9ffd7f2efb00df0a842f38b497532dae81e43ffa SHA256: 8ef50c62945d015bb02c68ce0a67f10e23b8fb9d22064f64b1db6f2f884f2ffd SSDeep: 48:aAdH4rJHNMMSO3OuApVxRb01cfC5YlE37WeGaix2TqZ4+H4mnPwfR5+fnNcS2T/I:eNR1AxRb0QeNWehix1W+HhPC8fnNc3Tg |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.png.RYK | 5.55 KB |
MD5:
8a9c3fccd9800d854c41d7983cb48888
SHA1: 8453cba60660f795f429d61f4e6c04757d8cf8cf SHA256: 3a59b18bc55c654fa312c99ad2fd34eba042e88cedbfe46b672b8020ed2db630 SSDeep: 96:6WW75v4rGNaxIk4YZdAEoJL5n/Hx9jdfZc1WywyyFO58rLdgz:6f5v4rKaCkEn59xfZcUzTFO58Pdgz |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini.RYK | 0.72 KB |
MD5:
e46ecb563b50db556c99ae73c5e06181
SHA1: 4ebba35a4a88b92c7ca8e6de4a5c305ce63a4134 SHA256: a6d538b4cf409d7d4678d44589a9ad6bab5af39241cf722270da59e1a624a3d4 SSDeep: 12:8Fr1OFODABevE/w3OuugQIyK6/cdvKGHYYVmWkGxTRzzc4mS/Y5iQm3GJOf8UdlY:8FcFnByJOuup86yYYBkONHYQQm3GYfL+ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\20\189.RYK | 0.41 KB |
MD5:
ae01329796de6069be5b3ed20ef31cba
SHA1: d53ac5cdb765f09a5dc8d1939fd40957c0d9f5db SHA256: d222dfdb32b42f09607b893594ed434318afc8e5d519bf51c60a207f212a73ab SSDeep: 12:k9w8ZzEZKQ2mm3Bmyyv17UqTCN9rCa47zmp/xla9:k54knxmx1QqeN9r+zmo9 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.2.xml.RYK | 1.63 KB |
MD5:
2150ceaed0e677f3038b27fbd81ddb64
SHA1: 9d84f03a96c43ae17c87325ed05dd5deaf7ceb5e SHA256: f4e39a515d82181f6db460b221380d386731b3c864166daa3a0274fab4ad719d SSDeep: 48:gokSZ8KFbuuFNXj9d8xLXwScNl+1aMyJ3UywC3fBDycy:bkSZ8KluuZYr0M2995DFy |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.002.etl.RYK | 16.28 KB |
MD5:
4448da3e8a3413cd23213ef3e5180148
SHA1: a7fc15e7058f2f2764436b52d93fa37a2805e8da SHA256: d203c4fbdbcb889be1df09f369beb2ab1068a97f22291ec7654359b6d017b6d5 SSDeep: 384:eye3cY7IRzlbmrlK94QW9Y3ryEt22Wj6o5aBdfrJ:k3cY7Ezl8lK94a72L5g |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.005.etl.RYK | 16.28 KB |
MD5:
7965ab3d9562bcba774b36dc16ae284e
SHA1: dda8133df3654fe430422e95be50da11944c391e SHA256: 7f10aff392197c9433c5d62a9dd8d6135af0b5d7944b49a1be61f6f0d4c01089 SSDeep: 384:7kqchLUgpc44gCBMGC7D+rNHN9OQTbkLMSNwOu+esN8XzOjD4G2kq:Aq4cHgCBMXD+rNHN9zb3zOVlqzvGzq |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.1.xml.RYK | 2.21 KB |
MD5:
168c15134a44ce93ae34c0289a64f082
SHA1: e6f252c72d2b1afca463b38eb238073ea86b9326 SHA256: 073ed824f4c90e18e75bf20b9c19fcf90b47bb00c50c389d4d0a1ef7fc3a7637 SSDeep: 48:yWBKcyTI629C+cNv1ELvZt8tg6ZUb5dQ6I3EbQmAvcXD:fEI629KNELvoRZw5dC3ZFY |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Desktop.lnk.RYK | 1.11 KB |
MD5:
90be73ca7675faa2561708614902076c
SHA1: fb0ed9fd8d60d20d762fb423799c49b114e3c932 SHA256: 00b5ca01998f447a1f3244a1ac88f853daa3ae8522576ae9579fb6aedcf58809 SSDeep: 24:MB7OlgS4S2laytUZJD9wKy/UwYFoQKa+iKCnlJdZ5jU0D2pYoBzqG:MB7O2SwTUG66rlunzTMGG |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\services.lnk.RYK | 1.41 KB |
MD5:
19f45b888c2805a123e7c56f50f7af11
SHA1: e06c2d7e00a4d78b902fb494bc6df576a57a261c SHA256: a6de2eb6433f9b42735705120b2304cd6639bae10c98d920fae8db8ff6a2840f SSDeep: 24:IQB1SGk5NWd0O3GLbWPlSCAUPRu9zPgmM0zEPylr8Q4yMNI5RI6T0HLMu3HjlKe2:Iy1SGk5cdX3GLbWPlSCAJBAPylr8Q4y5 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Paint.lnk.RYK | 1.36 KB |
MD5:
5081ec8c133183592443d1a086fee6ec
SHA1: 927faaabcdfbbe136f10d2c9fc50d652dbc673f4 SHA256: 79d456261ac9e63135e2829aef9ba3638d655702c8c28944bc377fe894a481e3 SSDeep: 24:kgNnseVvgM3/wIuAHEUT8eyfsR5jmwTprA2UHRxpTGHtWCC6+AfmcL9pCjFimYHc:xnZVoMvwIMUT8eSa62hALrutZEwKEHJO |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Snipping Tool.lnk.RYK | 1.38 KB |
MD5:
c9739df832eb21a1001710710c95c174
SHA1: 837e6bf6d7072fb9052f5b5cdaa9c349c90c3b28 SHA256: 218fb10e173ae084232ee8034a39f47dbd466b95578ff26404e50c8026eb207d SSDeep: 24:e/ZTZGcS3mkJdQGoBJv/BQM4UeA+hgAG1KTVpDKbEpmXjgjRhL2qWlXevRvNlX3E:qtZGT3hwdHWMeOD1KTniE0zgjH2svRv4 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\10\286.RYK | 0.41 KB |
MD5:
4f5ede5df13d963ec35ced308138702a
SHA1: a6892b4df75f929c558766b52578c0a61f8583d5 SHA256: c814fd9bbaaa38dadb00beb5ddbe539e489a52e37b2c75ef69f5b16739755dcc SSDeep: 6:nrgXxcsnOK3cC4yug8SQuTzHINlYY3Bg7gO+FSyQS6Gx4djBJbA0O6B28bqApZmI:n8hrpcxyIuTLRY36yjHxos0TB2k9Z |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.021.etl.RYK | 8.28 KB |
MD5:
79b7b5b6dbe7c076af5ccf0740d00526
SHA1: 781834e658375a417bd74aa769a2065ae49cc57a SHA256: f701cc524cc89ae62288d874f5085ff6cfdefe6ce2ef0174f8bb3be5dbee8061 SSDeep: 192:Stu/Fd1KkJ01OTnpfv8cfOKxJ/bONgVva0rHK:iUD1qOTpfv/pX4gVvd7K |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.013.etl.RYK | 16.28 KB |
MD5:
55c2ddca19bddec73d5b6200ee377d6b
SHA1: 1264e09c2aee48be0929566d3cab2a891d22da6a SHA256: ed1d0bd3cbf41ec3e80225c15b74eddbcb6a26bd80dadd406b2f98f1bec3737e SSDeep: 384:OaHSPyn18v4CPFtjg9RqpeKWV2qU9TiO2ts0QwjV6agMXMO:bLPCPFt2med2qU9uOrvw7gCMO |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\272.RYK | 0.41 KB |
MD5:
ff1499d0b88be8351dc80cda2ef08f0f
SHA1: b897aa92e03cae2ce3892cc497c18266566e32e3 SHA256: 9d012674db55eba33e7acc3779f7e61e1603512b84feaf1bda7759a1b847b3df SSDeep: 6:BK6BfsylhSVjTd9WW393VqH7bJQzT2lpWZkZYRD0K225TwSMT6Q6r0+E0In:1smwfd9BWbbJQMsKYRI2q6QA0+Ezn |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Task Manager.lnk.RYK | 1.38 KB |
MD5:
939c3de2b51064e64a1ef41f4e4bd6d1
SHA1: a4bec1fb9717a9f89f4c9f4577955ac311d25112 SHA256: f24c009979cf6ad194e5c7ed6967bacd9be9b352d88f28c1e597994b9eeabb54 SSDeep: 24:ZtLI8VuAFnMVgYctRQXvvplRsHXFNj7Fhd8NFPLFgy60uUR3kWruAaZZIKutgFNk:o8HSqRQXvCFNj77kzFm0uOdCAanSKNfM |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\317.RYK | 0.41 KB |
MD5:
e13c4688c49b4f33d8b33a37ac260b20
SHA1: 4763a187b4a73c332beb54667e310ba14887f189 SHA256: 25081fec05a4ac570f766adcb83e5a2a87d0f08880f482f574152102abb2fe54 SSDeep: 6:Ehje0HMdQl+++/U8HCC+5fPnYoUDSJ6vrDpLzTGpa8st/PhEnkS+iSJ0DZyld4t8:EJ10mgHePYXvr1HTG5stHSkKS6DMa3Mb |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\14\9664.RYK | 0.41 KB |
MD5:
72f911b6d4bed5dbaba0edf4d4f9c979
SHA1: 77182aafc83c30d1d96cc51142458dce0b894277 SHA256: 05f3f1cdd0c2167298799cbf45a520791cb057dcf51d7084323538d2aaf798ef SSDeep: 12:+DjZRO7ykYDtDRE+OlwqTAaJtBNzXik8R5uHdTV:+DuGcH/T3BNjTHhV |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\263.RYK | 0.41 KB |
MD5:
f085310b0d0639bfa798d17dad9f35ee
SHA1: f631e5ec18fb2a9fcffceb20f0dc470b47d53d2e SHA256: af17ff6d058f08a55061a5dd9592bef98d8be3adf32359dd712a9ef3871cebd0 SSDeep: 12:LfMMxeO9f4FaRYssyjOqTtgGymk4QW9nw9VVgqDoag3hMQ:He0T1j+Ina3Vg4jgxp |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-32.png.RYK | 0.67 KB |
MD5:
4c949aac3c40079f34f6e585a0cfef5e
SHA1: 21930dd7b1b3fe415b9720893ce2639118ec1181 SHA256: 5a0f6d162071ad33f83f591301baebd307222d90027e4e01b1c4162b22680ab1 SSDeep: 12:NoGDxZbtfP72svRueJ+5Sz51XC2CfSU5JUJ9hwuSgxt/r7EYMOC1IZyb:NoYZbtXpv4E+5SzTCnfSWJUJ9uuhx5En |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini.RYK | 0.44 KB |
MD5:
480eb25fb5badb9cdb07e8d9f31a2d5f
SHA1: 07373dca2a3e7229ffed98ca7cb92e52ace07d3d SHA256: 3d0ce59b0b1351ee1b6e882f353ce80378e7fe387ae99035bf3b06a79b083e18 SSDeep: 12:Uinp3dXwjN5CYwjx4JDD1DFvujXmU6iOc5j:DNX0rCYiSBDJujXp6i1j |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\MiracastView.lnk.RYK | 2.44 KB |
MD5:
143bde3ff69b532b74e76f0dd7eae9e8
SHA1: 6352cb43bb4e170f55c0c1bd83ae4dc23a723bc2 SHA256: 7b7a64d27757fd602532e49a2eea80be35d7f90ffcf459a0ed33acdc3cfd1568 SSDeep: 48:e5F0+32B9SmKyuzLRzQWtksrdnuULPkLnqOcDf8I5pfWEisTSL4o0sxB:e5KII9SjVzLRzQWHuULPmjcwI5pfIsTI |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Acrobat Reader DC.lnk.RYK | 2.67 KB |
MD5:
96ac452269e3149d9378f19306c5da70
SHA1: 9e456329b86f651f3066b8d78af3e90ec93f763f SHA256: 3999659c2e02ba80b248b3d7855588cc89f02c99a0cb1dd55e8f41ca5785e2dd SSDeep: 48:NTEI8sKk8jGbr7XzNAWz4+1ZTlLM8LhJRsULDDXMuSORIiXiHgAHUXCB7:N5bZ82r7SI4+HTrsmDD6ORIiggAiCB7 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107001.RYK | 0.41 KB |
MD5:
a32c4f605e06b2ba6530270ea88c089c
SHA1: 9f45ac422c80dec68f62515c9776c598730705b9 SHA256: 02f30f5fddfe9e9313a3d8dd5da8dc1a1552423d90ab092ee1292182b1b083b5 SSDeep: 12:YYA22E5Hodw1BE3SpR6aGnDEOY6mDnmEeBiun:7Hom1BnMrnVYdD5sHn |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\2\61\EFAE1E6619D4EE51.dat.RYK | 0.50 KB |
MD5:
157862bb7e1d5b9cd8efca58856e186f
SHA1: 8a93c224d4c6e2626a25e00104ac7953c670fa11 SHA256: 0bdcb4134e8ee62838c1059546aed06fbdc5d9fb32d817e3dda3dfadd67d5298 SSDeep: 6:kK28+tIf6UUC1mS/DZ/r+9GUBGf4OCodPri8zxyYCeoG10LeZ+Sv7Ek7pSG1yOPC:dVfhvLwDs2Yu8vyqISvT7pkHmCB |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel 2016.lnk.RYK | 2.64 KB |
MD5:
2d64d5ad4759a878ba354856e30da103
SHA1: 00f03f9a96924674489d340f24f22f992c9177d7 SHA256: b7ee456da3174568416a84c213c95c311577402bdbfcd24d746326726192a4a9 SSDeep: 48:j82iIF4oizUV2Wo8kENzTzkMWfIHX+elDl6Pc5awV0Wk+Dp0d2vJC2J1HJKO:g2iI4gIGXkMSUuegc0w+WkUagv71oO |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-40.png.RYK | 0.71 KB |
MD5:
013ec49240712b27cb309fb92b4d893c
SHA1: 2ab417231a3e523049e65c7f0b17bf96a5ca779a SHA256: bb383f181369f0aa71c953b42b95575b4751f9d7ab0bff27bd660d1c76e63f84 SSDeep: 12:RIEP63vDH4/EipkPiLYT+yW46mJXlxhIKasvWuMmaWDlfz759hwfnX:RIU6/DMpiKLW3lxhIhquW5fz7Nwf |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.003.etl.RYK | 16.28 KB |
MD5:
a7b578b6e9ff020c44bc1e3ac7e73f69
SHA1: 4c54461bd0acc4dfa909bdf45396d3a62c8de9c3 SHA256: 87ca718cca80cc1c9f146832e2d7e2a8e9c2ec85c8a258751ceaf69543e96d21 SSDeep: 384:lovOIYAYDKsQZqfWcbh3vwZcbTojrYAzQH0FbFpkg6:lRPemHbh/hog/HKJpa |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\10\267.RYK | 0.41 KB |
MD5:
ed6e7a8c1f214b444350fe311e303056
SHA1: 9035b0391109155fe2befcfb28a1cce2762856d1 SHA256: 574a550f6d0e96d29b8a4b760c992dcd842c0c3c319ba1cb85cb955d32a20b99 SSDeep: 12:10UxQxsjV8PHInL3yV6O1lu14juJmelCnaqKTi:9xDV8PHCL1wu14KJmBnaqv |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.012.etl.RYK | 16.28 KB |
MD5:
75db94c98abf5c01ee2db483533dc723
SHA1: f1c907eb037b9fe7d7027bfeaa852f9c30177e3c SHA256: 7165fb9ab3bb3d5cb170bf4066eafab520594c566575a75bb3cdd4cbdd2f0701 SSDeep: 384:cb3MpYDYFyraNwmaO8U5fiZe7ytje0GTIiiyxOSBBDzhtqgE:Y3YYDYQammdP5fv7ui04Iii5SnhtqgE |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\About Java.lnk.RYK | 2.33 KB |
MD5:
a8866c1e9f079b0c18e421f870e78a56
SHA1: 839a7a491ded8577c86366a780a5a9b1db913898 SHA256: 4a716c0a806262368b6598a19e18fd091643550cb6175d192f8a47a9dbd69837 SSDeep: 48:b37uC6QSgt/CYeCsyCw6FtyMdeC28LoOekHrasZ4:b6Y9Cgs3zt28sQav |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.017.etl.RYK | 16.28 KB |
MD5:
545ad0e727678b99083a3a23dfd66b88
SHA1: 77af948019a3d43e3a66a4abde1eaa85a6fb61a5 SHA256: 1c3dd2d0679a7e4796abdf6b1687db98466edc176cac0365b3368447f0996eec SSDeep: 192:m/U6vAIZ7DBS4omRtsh2hlc69sDM2aSihJhAJPwTB3REavTQdi1BYW1Pb8Uwoe5G:mGg7FootC2D9ExKTB3RE/du1PwoeYor2 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher 2016.lnk.RYK | 2.63 KB |
MD5:
7af12f267a002fd144f4728ee76a1c06
SHA1: 698b234b1e4b0b100907f7e499f7ed50163a3b04 SHA256: 9f6ef7eb4590b4882b3e6ba3428803cfc5ff768826d9529144848c0822cb2a60 SSDeep: 48:xyGC/jLvS+a+l0V5bBxv9By2lVn1PtOk8VGDN7q9LgGxQ4:E7/lUpb1zlVn1qVelq9cEJ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\10\197.RYK | 0.41 KB |
MD5:
264d0cc0ac710ece25bfae98da0eb007
SHA1: e24b979712dc8b1109a6fc23c9fcab5742b975c4 SHA256: ace1fc57a8c209391f0666e30ead069fb4452107d5b4f40a2b7c4856c9ad50e1 SSDeep: 12:8VUAOQoN2moZC9vqXIBCc7J1Yq2zKujLGO4:8b7oEmo8dqXII2JT2VM |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\196.RYK | 0.41 KB |
MD5:
f58d092e817c35e078025279aaa94772
SHA1: d13776d611e5cd7efaff1edae4bf2c62ef1719bf SHA256: baa4ae3ee32a662cea7359b4aae166d03a79a0edb74c18151daf07cb900d590c SSDeep: 12:5Fq109dG5LvePYs9h5xJpEE1+pjWYcN75IUG6va:5l/G5LvyL5xn7F93I36va |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.png.RYK | 5.55 KB |
MD5:
0b2513290c51cacf66a1ef87abe61682
SHA1: 5cfaebdadf206074d0194567c48dc2f48cad8de9 SHA256: 90d17f4319648657277f66b18d995eaabae8e2608f01becd5cd2308dd85c56e8 SSDeep: 96:h1HFpwd6Uz24ub8PNWOM9G5XfS1LtGKSzKQNp1AJ4+9THmwQThh0IegBjaKCO40/:TlppUzIO8wXq1LyTrAJ4+5HrGh1eSv4G |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Configure Java.lnk.RYK | 2.30 KB |
MD5:
18fa73d1ce6801cabe6fce2b1e2bff2c
SHA1: 48e5900f38544e2aad6e328f0a411f7d4b85d165 SHA256: 5b1ac7fd540a55e0c7a3fd1a28afd7bb20ddc75e9793827f5c894d65bfe56152 SSDeep: 48:C6WPw8XM08Fa9pW667RZxraBAi7gjP4YTuwFbx:4Pw8Xoau667NW/5YTn |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Default Programs.lnk.RYK | 1.50 KB |
MD5:
32f08cad2cd6646c3cd13a0c1791fdea
SHA1: 6568e4df4dc15f2afbc576fca032d1d8a72a9462 SHA256: db8ebd6e0218e872c81200ac66f6b540111fba6c299a671e80757c8364759ce3 SSDeep: 24:S7aeOw5ti/KjpWy1cf7pTXTUrcT7cdzvIWWJM4H8zxyTAw0/gXE/Weg0qn:Ya+SAWy1W7db+QK4H81DmsW35n |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\262.RYK | 0.41 KB |
MD5:
eff645d45723280abcec772b442ed8cb
SHA1: db4f0981ed2dac962ae04c740bdcb81e4684a87b SHA256: dcdafa7a80d8d5982a52f4f14047a30220780e6b994add6111bfe3b42f2c68c0 SSDeep: 12:zk3eqz67zzqDMiLa2lwAXoE3eLHaS6GlCOQ2V:pSMiuAolHaJyCD2V |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Wordpad.lnk.RYK | 1.41 KB |
MD5:
55691526b686b724f7f7dcccf8421bfe
SHA1: 8ad77345fa78db2b9b4df72f9463e4f054139a99 SHA256: d4a84798c6625183a685ee62855eb74497bdcb2b397d443c95b2eafd1a3375ca SSDeep: 24:Uw+TCAdisfHjXXlQUNa0trzLF9P/7Ar+fbU7ZaCw/Nmv6D5DZbsN:ULCwMkVzLF9PzAd81/NiUZa |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Devices Flow.lnk.RYK | 2.42 KB |
MD5:
a13feac354024f0e94a6f711508b63f6
SHA1: 29533f4e981c76648e08299254d905a537533f60 SHA256: 780872fb846f2d6399949c2bab754baeda4c3fb50f21d4ba7cea0bae6693dc19 SSDeep: 48:aD8jhTy1gJ4ofZCfmQiou/2mK5Uv/mt2D1xC70MC7//0nYzXu4xTS+9bKl2Qf0p6:aDTuJ4fmQio2BKeLP20Fr0su4xT1ZKln |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Visio 2016.lnk.RYK | 2.67 KB |
MD5:
c73950fdf295a7937e79bee7127dace6
SHA1: a325347e52f59d3dc98f39c48e70eaf02ddf115a SHA256: 251cf486153abdb9dded12948452b4b0a80a22faa701d4705afe87c67bb1252c SSDeep: 48:mIqgH+UI3JqGJECTJHbfrgi9BkZDd6MjtsRDiVRhE3Nwz2/XCq03:mVgHX6qGJECTJrpP46M28byfCD |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol.RYK | 0.71 KB |
MD5:
375c3c6ba31710ac6931a951c55f5fd5
SHA1: 688111ff8a3a7c6d39f74c0b068676a8dadb9868 SHA256: fac4fd7634d3efd9f48991c1c70a0fe2f04fc003ef0e0273c9ef142c36b48ed5 SSDeep: 12:pnouNkES8sO+4skwN5KMAuKCslJUuA4Zs+HwaOlXGy/LTWAuaphpeYfFxlYQFvRz:pouXShsb2KCsvUuA4SvjlXGMLTzu2/e0 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini.RYK | 2.81 KB |
MD5:
51a5c90fdc58720246d4a865ee64eb9c
SHA1: 4c3c9eeed981a691b08c1d3d2944d3dea03f6e97 SHA256: 1db65c28174caf8c748d4c5d4df46424db5f58dd44933730e26b0c15db1e88ed SSDeep: 48:Wb4dXA0SDpIk0ztUBYryBEA/JZtMHQ4pVJ2IT6j1GuagEc2tJpJ47YJ0HWX:WYEDukZBSyhKQTXgvgEj3pRCM |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PrintDialog.lnk.RYK | 2.42 KB |
MD5:
433231afc8cf82721fd4321ddf3fe197
SHA1: e90b68b6d1b93a23f8f32040c295617920811f6b SHA256: 33385a0b7c65eecbe8022434123cb3cd9243f14d460ab5be3b5d8c44f117d6fb SSDeep: 48:DB+r6frm9b0aYI80gK0c2w8cATuIrNfvkZorXWIrJu:DBJuYighfcAxrBuot9u |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Project 2016.lnk.RYK | 2.69 KB |
MD5:
a6f60454017e7f777082b841b269b842
SHA1: 9526d7cc95494c0ba5e60c851d2268b7208bff61 SHA256: 6a9344131c8f2ca933fdd6d48ec127277920fd1ab846ef778d97718eb4c4fbfb SSDeep: 48:VZi7b5tRGTnNdcq6/JADiY1A60/VZqv28yIQvrpDqhBvpz9pKi1DVlBz:VZi7b5tcrsqUy/1A68qv6jOhHDVTz |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini.RYK | 1.72 KB |
MD5:
83e25b2471bf0eb30b587feb56504f5c
SHA1: 362ac9dc5979a0421013313b97d0e6ca217b31f4 SHA256: 6b5aaf33d8a201f1ce4c24a2484a2c90f01482b8d16d71e3e1630b39622f8f4e SSDeep: 48:Ek75iLIO1/EjmaasXwuWm9nI+6ZXVwz3u:EO5iLIO18afsA89nINCz+ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Sticky Notes.lnk.RYK | 1.44 KB |
MD5:
403295de8258c217d6229ab89b2a97ea
SHA1: 6981a773899bc957100a196c73a96a6f4159e206 SHA256: 605e7af2b6879b253b945514e2e3e83f9186be4c800a6f8d90c8376fd1c3a8b8 SSDeep: 24:kLfLtLCaH3nTEl4EDJa81zURwjqbzJJnW80a8D5yhupNQ4Buwn97XDHdj:oJXTA1zU2qbzg/euUDcDHdj |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini.RYK | 0.64 KB |
MD5:
35acb5e4e02be939435e344d79466dc1
SHA1: 0160bf3722ac4734ad1b1615642e66e1610559d5 SHA256: a560c788768574a36c1aab51c3decb06a0fa71097b894d092961a48cfb627830 SSDeep: 12:ADCx8kSBA79OAled3yfAQUcG3iMBrTNY2xJ6sCBVOf1btdLxSpGL3:Amx8kPOAEdCfArj3Eg1nLB7 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp.RYK | 10.00 MB |
MD5:
1d41dfc58c286f2456a65223cc6f75f9
SHA1: 7888c0ce60a45afd96cac680b4418e5a029cdbf5 SHA256: ad7c0c82ce5331d8e83c787c85d664c2d4791e0dcb1735d3eed20caf57598537 SSDeep: 196608:yu+S5/KMnN1GuZV8dP02YxWCqoM4ffR/uRVr8E7ejFul:Y2dN1GuZV8dNTCqSIGS |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Project.lnk.RYK | 2.39 KB |
MD5:
d3a9870600882d98c61214762eb70d59
SHA1: 37f80201b332ab1d4837a121e2888fd651b57de7 SHA256: d0489017637957e324d53efabb8c2d7775fcd79ab96f9e82456716d02fe7c4e0 SSDeep: 48:Fy7llX/LbgYh0c2HWipJidFktH3DkLiExywYrvXYuHcQDy+sRD:FGl9gYzkyDktH3WWVvX7Hct+w |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateUx.001.etl.RYK | 4.28 KB |
MD5:
742b29f4345587f33d785b9c9fa838ca
SHA1: e842d41b6324d4a51f35ddf22729eb70c28fe102 SHA256: 6ead290f91af7841b3fa1caf9c46321d3ed7dd0a805f7d5a0c267c8ecd0cd4ad SSDeep: 96:v9s6NpYGR9kW2xtvo/dSY8MDC/6Hozw4t1qCWI0SX0tT+9gx3Vqq:15Np+W2fvo/eMDC/+osU6A0zLqq |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\288.RYK | 0.41 KB |
MD5:
aa04788b099fcf05a4e9afb7a08c3ed5
SHA1: 61abaacf2e3d8c058fc56d7e6ca1d91dcc3d0e6e SHA256: 4dccb8379eb7f90cde2c5e3a4ad2b1e5d5e276506ff9acb5db9f1a49d323810a SSDeep: 12:iYfPNLF7qLoG6YeNtQZBmOzjaWv8rLpLt8jqW8:fTeoG5eNtoBm2jaWkrNu2 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.006.etl.RYK | 16.28 KB |
MD5:
1b8fce3f78eeb9dfb4f15c26c25015f3
SHA1: 0add439c04ae21f55a8a96419a10c433bddf5b98 SHA256: 8fb6cd777864724f9df317a8affff7d682706321efaef0f84b53e4e438ac5dfe SSDeep: 384:JVGRj12h8rol5Btm9uWT3UeIBb/oBhEA6kkt7rh3beuj7jRb4:MxQUol7I5g/4hHKXEuj7h4 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\02\303.RYK | 0.44 KB |
MD5:
47af1b225386fadfe228b79f409bf195
SHA1: 573a0c43fd272b0549d1ede78d4b1b87f71c8598 SHA256: f6be33ec761235ba72a61ada591fc3f1e57723b4a419f7f0672b8c59e2d69e67 SSDeep: 12:EIlPpD0D7wjQ3CBwqa3dvKdpYguy4yeRW:EIco031Kdn4NRW |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\09\238.RYK | 0.41 KB |
MD5:
873fcb6da351b47ada36cb375d267ffd
SHA1: 26a058cbc3d23ecf48d1c2404553d18a70683cc3 SHA256: 5b651c9e58c9d3177cb98119d7fe72115d1a85c9280fb1b7b53c716d56317a70 SSDeep: 12:bicDsX4KFcpA1ykEDcmNfAPTIMn+OYqPQgzzQ:VwIKFcpWNEDcmNfAkXbqP1I |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini.RYK | 1.27 KB |
MD5:
96379384843c0e2bac5422d0b8cbdb3b
SHA1: b96dde26e58fca0add8e4a8d42725e6733abe963 SHA256: 61cdfd5104fcbf452f809061b48fda8d1d20c23ebb98c28baf4a6b6473f215cf SSDeep: 24:Mnk6i4tKouo9d1tNjepbYsboW5OAM73OWyCD:Mq8KousbtNs0yxu73OQD |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\installcache_x64\baseimagefam8.RYK | 10.00 MB |
MD5:
aeeb0546a3e47f56c8e7ecefbff8126a
SHA1: 6fc862f02851e4e5e3693fd9fc91383ceb303270 SHA256: 8c381934111e5404821f27e5d94a47096ac5f99aa1c6dcd4e4f520e0bff44b02 SSDeep: 196608:uJP0RHR6ADMycQX/vtvdxx5Sg83jC7DtQMp5lRuKNj41gAEjk0hLSUytmKXr/Rse:6P0RHUMDxx5SR327xQseEjkx/mGr/bT |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Pending.GRL.RYK | 14.89 KB |
MD5:
5041e3d628fe6919658d6767d5064ed1
SHA1: c2a8fba25aa392e67c06541eb7b7fd550039951d SHA256: 265c70d81318b6008f3175312138a96df315815a32772e79f8fc4749d7043cb5 SSDeep: 384:/pr6SXH5frirPm7WroYl1aHwJ/BUwncjaZmNuAuC5Cag:AcZfTqUg15BUzOZmx5Cag |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\3\0000000000000000.idx.RYK | 0.36 KB |
MD5:
fa70de4d7d9377605588bd6c66e5152f
SHA1: 027f30f404e4c2cbe0c7e41bb5d39e754ad74364 SHA256: c5242d820de452b6a26fbc0f2052f3f987fbbbc2e47f41f4078bd51fb103a288 SSDeep: 6:wFFdXe36Oo/pf3kJTrMvWdZUzqmFeNMdbXOcgWNECH4XFWK06RK6krmDY:2Fds9S3yTrUWPqRFxbXOxWNECYXFskkl |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\09\13711.RYK | 0.41 KB |
MD5:
46597857f3987020f85d011de7940f55
SHA1: eed0c92193dcb5d45bbd760a9b54700ac8aac84b SHA256: b8658e95bd4fc3f30238b103ede3fda4334e06d07dd9879c6417c509344c2a7a SSDeep: 12:tqD0jL5uggN0xHQW7HTPzdI0XEApKAYzBYFTl4M:sD0jL58NiHDb9dXECKnz+AM |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Check For Updates.lnk.RYK | 2.35 KB |
MD5:
7bbe56b3f14c296aafe31763efa820f5
SHA1: 9d33d0f2ac79cb15e58735a0ae4fa4a615ecb798 SHA256: 0e60775c65fd61a2b9ff457356ac5a4c16b3c0d1f8762c02166d9d07e2ef2fa6 SSDeep: 48:iqwkCB48JP++/GXE9y7rVsu0lPvoKne8TsoWRcT1+9lJ5:iLkCB485+f9JsXlTfWRt15 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Visit Java.com.url.RYK | 0.46 KB |
MD5:
beaaa2b3fcb857d5bab43eb91bef0296
SHA1: c832ccbc441238f9f89688ef03bb0f71e6c74565 SHA256: 63f9d5ebe4b018a9cd185eb85642ddb9be33fc04897f8454d69872255ec809e4 SSDeep: 12:zgJ66Uug4616p+lcVA9zSCMSWZAOUYR2joJYVZIy83u/P:8651Vl1S5xUYRaoJhs |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\260.RYK | 0.41 KB |
MD5:
72e7abe6acf6263232ec086baffee10e
SHA1: d27b725a4445764ca81bd5b38764b37bbad69d68 SHA256: df1562dab7582fd26fee04923b56911cf2aee0f8a4a14b0ad53f1ce8cd691ca8 SSDeep: 6:koxkE+uEbqXfXGmKv7/LKhKY+ngsTZjTZmSdGV1n9Xp9/8IvRIqJuSJ3ycn:YuEbqXfXK/LKhK7ZZm84T9tm8u27 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\1\0000000000000000.idx.RYK | 0.36 KB |
MD5:
b2bbc807102c1aaaed31ed707da44966
SHA1: ff253c60318091a01dd822086f0283829e1caf9d SHA256: 1babe5253323370cfe6543aa70047cd19a877d2610a97286b39a36f016566593 SSDeep: 6:L3KgtzXDRJdQl5Paofxa4G1vmAc7GElxU/AUTG9ctDbFr/DLSr9onfj6qn:LKC7Di5yCG6xU/AU6kr/D+or6qn |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business.lnk.RYK | 2.67 KB |
MD5:
493d754da648468becee05fa07a46491
SHA1: ae1cefc006fc1fabbd86b0bde943165d0bd40bf9 SHA256: 7b8bc1adda7e6b2ed38e3045c5e258439ce267610318715c7ff11cb342ffc379 SSDeep: 48:Q3QUj9BZwXCsj6U9Gkxl87ORNxUN1ZxXa+S92UkAM3NUEVexL3F:Q79Fsb9GkD87ODK7ZxXazkAMCZ/ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.004.etl.RYK | 16.28 KB |
MD5:
0bc9012b8adc1ff89f14d7e2090f6368
SHA1: 12510470f2ebcee6381d06eb8faff893ef5a5139 SHA256: be2c701fa1d88445b8a36998e66a4fdcee2f49520d79ce6b9ca91d57a7041f05 SSDeep: 384:REhiawXEmo46+kj9A/sXrnvBTU/4C9wpoCqSTBziUU4QhXGt:REhkEo6+kRpBnwww+bUt2t |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel.lnk.RYK | 2.64 KB |
MD5:
743748390b196b1b486d22bbd2b18dc9
SHA1: fcd8fc169ea8b41998af9a52cb8ef10d2ff956e2 SHA256: 23790449a8b9068df239b3eea7c7645ce83ac19d3b96ee647692a15091d4d592 SSDeep: 48:QzUWNRjv0wqTiUdN4Tfh94eqji3KbOFlMkBFkovmnIl+iABhIYdDuln:zuZvq1cf34ex6GldenIv4iln |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini.RYK | 0.55 KB |
MD5:
dd5c999be7f824ad0ebdd4e1a3661b71
SHA1: 48ba8b3dbbdd28a2f64343948f352fbe088ff42e SHA256: 13c54f8a55c84c036fd42a3eb4fb761a4136b92ba5a52c7c78bbb4d333129016 SSDeep: 12:YejK+4Pa8zgOcAgs/4GeEh1yzGqd44/Vy5xD0JCh3U:pjj4PadOcVs/kEhwzGqdL/Vy/D0JEk |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Math Input Panel.lnk.RYK | 1.42 KB |
MD5:
25ecc74fb7044b81ebe6a6319952372e
SHA1: 73a90bf2fd06db3a5067ad116482e09ec7c77733 SHA256: 22a4c9ca348b0f4310a46435c68cc936ee832e5a45df73cf6750c548e097a8d7 SSDeep: 24:Vvinu2ehD8ljRU44/JsKnZ/3r+EFkey3v8r2YXhpMjKSstOD1qBkvAKQLExtzgTz:V2uLCehK2b+9ey3vQzX/fuik9uTf19 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107002.RYK | 0.41 KB |
MD5:
30ddb3ccdd57dee40113d5e3840b81c9
SHA1: bd7cc60d19a50106fc2b1a464c13767bb1ce24c6 SHA256: ffbcf59b2d11c80c838366b290753982fbed3c0113378d88660dca0e7042b778 SSDeep: 6:yRXarD71sEmrnwZ7mZo+GqizfpniC0sayZQIksC/gJe8TnfpVXrYHjwM:lrD7100ZyGb1l0spjkJYVXMUM |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Active.GRL.RYK | 14.89 KB |
MD5:
d6cd78d53f8bd9abc44b33a4b2087db0
SHA1: 36ae4597af408101770a063abc4a2f2b913fcdf8 SHA256: 36f9d040b0e73f51105280da5b10e6548cb146a7aa356a6b6bd812e196c8fac4 SSDeep: 384:4VO6Xa3lYQOf8/KR8zu/qbqhRfjRPROdTLs5TY:F3l5Of8NIxNPROhLOTY |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\00\192.RYK | 0.41 KB |
MD5:
2c16b32a5307fedf0b22eb4fea203724
SHA1: a9592e6eb10812eb7479e874b38c5c0c719e801c SHA256: 4190179b3a44e0ea22e1939c0d1711edee68bf7f167ce6106174974e090c08cb SSDeep: 12:uaI18E4ZJErgtIXNoJTsEg5cKrNzReTyNI4b97:uaI1P4gBXbNNNemBh7 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\2\90\B6D0EAFA5E8634A6.dat.RYK | 0.72 KB |
MD5:
c98912e0eb9ca88cb861d4cac0b2047e
SHA1: b2417a25d499a566ecc1fcef67efc50ee718b449 SHA256: 52d53dd35cf35404dbb8f22eb09ab287c7aaa97c320b3786393fc9746d61d703 SSDeep: 12:HA8FWBAi2v5XAazdy9d+hKi2gh/kpkfMZ9pcxYlIhPi7CyLezAnXViY431cq7o+H:3FWsRXAvYF2/pGg9ywIYazBY4Z7o+Qon |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\191.RYK | 0.41 KB |
MD5:
d31b7c50f5190c0f04b1647c9e51fe8c
SHA1: 26d68062a8d00a7642577ccafe3e91df434635c0 SHA256: 299a35c210388b6751d1f6e99a5f28af495377a356c7eed4301d6a98790eddd6 SSDeep: 6:NF2afZpv6vOFXZiV/2j4btYqMpdoJ7UwqY3glza7SoND6cVWvOoCbx:NUupv6vOdZ2ztMpWUw7386S0pW7Cl |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook.lnk.RYK | 2.63 KB |
MD5:
4a2fe8d02155ab34d19a24400754ab4b
SHA1: 80b3835de18a451efc0887811f3481bd4f697957 SHA256: 681f8b0265970b205fef7795d454c42955f5673419eae60078bc8e1c70f3851c SSDeep: 48:sl5Y/QA24+jRH4IyXx7d3pV25sm26GyNZO1l/QwtE+bsx0jIvmAy+89fN68pH4:sIo7NRHxyB7d3b257IkZOnVtE+bsxUIB |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint 2016.lnk.RYK | 2.67 KB |
MD5:
91bf5685a04185260131c761f93d5130
SHA1: 49c67b611b2a6e9fe9c318ae5d791c95e5c788a2 SHA256: 39899e2161485ab1ba4619f4a7291d797020da0203fea57fded6291dab6afe1c SSDeep: 48:rJEYtqMrjxcdms/myP3w8zC4fBy+kJn1iowPu6SdnDQKkLaIZu:rFzr17s/9f0l91HzbdDQpLnZu |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini.RYK | 0.44 KB |
MD5:
bc69c28baa5e49d4293d9d0057f03d76
SHA1: b640ee7bdf0462f175966e22b20ee9901218d637 SHA256: 03928cccf603996d30c5794ecfe866b5ca47a02fc6443c0f6800cb7e21bda43b SSDeep: 12:WRd/ijFtVMzfyzZ6OO+Ec/o307ZSuZrN61:sd/i/q21onc/A07ZSuVN61 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\328.RYK | 0.41 KB |
MD5:
d2484aee4a985c72fc674b30309c26bc
SHA1: c78b467fc0eea444ba5f5c7327411eacf190ad72 SHA256: 51ff3c59f79e4681dc84f2e26393da377b49c1b4c7076dc0a94f3dac07d0de32 SSDeep: 6:KqlSwKxebVpTzAnK4jqEhK/+l5w7UyggyhesxGgcUTmQ/wMgd/GVqnnhmP1P9TW:x/y2PsniXWl5wwgyheUGgce/ogWGPVW |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.0.xml.RYK | 2.21 KB |
MD5:
98e1035080b06e099c5712789335c07b
SHA1: e867771430ec510ec47dc1aba5f32396e1e5d3c3 SHA256: 58eb5e53da49a8b038386ef16e4f87fb73b95c6d6a6ea9416cf87eb4fa18a85b SSDeep: 48:0SfJ93ywxa3omzZKqFl9pBA1bJ0J23zB/O8GbSSLMeYXwWUQPCs8:0uZa3omzZKqFlC1ba23dOj3aXNU9 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini.RYK | 0.46 KB |
MD5:
c24ce4669db6abfbd3d1f2cee2a62800
SHA1: 013a5510391197bed2c129aa97386200a37e3a35 SHA256: 17ccaa4ea2a3a8f3c4f73b0af42cb2bfe7fd8be4ba1bd96c735ef952f0b95980 SSDeep: 12:obR5ADhEI/nv79QjIJeNldtnzE7KjVaKKyOHGFD9BVmv:obR5ADhhbGjhldJZKyOHCQ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.bmp.RYK | 784.33 KB |
MD5:
534719e59175d3d5b508b7ec452df835
SHA1: d2aa3c0e3da6869cb4cdb2f4b361507a1873e014 SHA256: e0b12b740c7e8f5de482268b41f139d7818f0480a234044ff7f2e08f892de7ef SSDeep: 24576:VVJdqhi8ja72LK1aKksNjhJ0NTCVNJonHU27t:TJUs8jSksRvonZt |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\2\0000000000000000.idx.RYK | 0.36 KB |
MD5:
cbefbfe9a59df4b4878f66e803867b87
SHA1: 59e43961eb852905153a8ab86a3519efcd1af4d7 SHA256: 89fdf4190cbda859dff79a65fad195e1dbfae39991d01bc45e611dcd3b43930c SSDeep: 6:/eZ95C6VCRnAJ2V7vSdJ1jD/OcQwBozmkJgktJhtWLv1ElGVsmsBLiF9:e5C68RAJ2cJ1//OcQwezm0d7WLWI+cP |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Search.lnk.RYK | 1.83 KB |
MD5:
544a657559674c584cdc3c2bd523e7d8
SHA1: 8fc4121ca8f733753aa8e713ac47acea7f9fdfa4 SHA256: 4fd4171a12aaf7cbb53bd3b4312b6f3e32605e143d0a15e4e0228452455950e2 SSDeep: 48:QeCQOJ4ENhQjnsx9oFdZoMLnAgTgvwjljT4WL+b/xt:QeCQ04EinsMo0njTEwjln49/xt |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business 2016.lnk.RYK | 2.67 KB |
MD5:
e93c467563a5c1b585058f9ea42bec11
SHA1: 8836c96b14ba99ebea539f64b4af0bb5c9c9ac04 SHA256: de51b0c5a4ed774bd0df4f331424da04fa620277e4bfe8f30996ac57dcb7a43e SSDeep: 48:XujbxqhwboX+EROQnSn7bkND82bpHYJSyDHCCBjcW5ztOvKom2dbyfwOK:X8lywboX+KOoSndHCCQm8SomAwwOK |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini.RYK | 0.64 KB |
MD5:
285f1fdbf50d017a136317566bfa0910
SHA1: 0d4ec4ae51c1be77d636f22c62ef82c8349f7def SHA256: 18a6eaeca5aa5e84c8a9d736e1af77de3551cbad760a221d72c042f564820870 SSDeep: 12:ueRx6xI4J6m24kheC3l/9BJaQAgH6+NJBT2ycZxhKz+:um6hnkU6jJZDH6yP2lZxv |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.bmp.RYK | 784.33 KB |
MD5:
130ab26a71550e72504454c6b101775d
SHA1: 40ed37bab87906fd1d85e06618324da0ce0b0735 SHA256: 1107c8a4ce3391afb54b96fbbfc273a4a67575e9edb4504280e146bb6b74e1c6 SSDeep: 24576:vFNxiaE4DavWTqwkYUy6QTpY6+OYr6ZfS5ZZe:vvka/hT+YUy6Ie2ZYy |
|
|
| c:\programdata\microsoft\windows defender\scans\history\mput\mputhistory\07\273 | 0.41 KB |
MD5:
4fba6e7289b1746e65cf99c5e0c5c982
SHA1: 995b963e1ea38ab3b7979bd3433860a49f3716ef SHA256: 19c8b391d8dcaea0133594794f7f3991f63714ee1d59d1b1cc3dd05e2667ef1c SSDeep: 12:ziz74gKNAYM0vN7GogJ2A2Y4wWdF72DT98lBudIojNOc:sEgSAYpvN7dF+4wWnyT98cI+gc |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-48.png.RYK | 0.77 KB |
MD5:
4899277da865fea0f9259b38103b1c23
SHA1: 99300ece4f71ea86af836e64f014b03b0bcb44fa SHA256: d7381b0dab3352150e33ec23abc4d2140d1acc762998b7871320b573e6c42af8 SSDeep: 12:Msii0jHkns5xss0mxKqhhMomod9dT02jbB332VgLTdwzrsJe/siwPeSLoho0Ypvw:Wi0jEns5xtQq2K9dJ2z2e0i6IKu |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.011.etl.RYK | 16.28 KB |
MD5:
731988af7970721524b7966b033490ea
SHA1: dec3b3a2a1c44fbb94863ea83825a4dfdb407eed SHA256: a5fb0a0632f68014b5d427a791c0f7dededfc7a20d809384d4579127fae56fca SSDeep: 384:tLPrx2JDqZOwWsv5mbXuj6f9R7nnw6cw/P1BBDosbWv:tDrxaDbwW+6zPzcwVBOcWv |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word 2016.lnk.RYK | 2.67 KB |
MD5:
80f580a63f427722eb20091f7e5a3fd9
SHA1: c1988d48009514adf139480a9cdc72a8a139b48b SHA256: aa6df18eaee87e73e130ad711db5dabf770bcd2e69412f1bb7067a42b6f0b680 SSDeep: 48:x9Ma9yOfBYbgDN1fqbzc4ltctP16upKjsD3tvjkBsIlMUayPnu:x9MalfBYVutPwuwo1kewC |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\266.RYK | 0.41 KB |
MD5:
ff8623561d7d1aa08816a8bc58652cc0
SHA1: 6a6023ec7f006c142a291db7d44333475357d205 SHA256: dfbc3be98b1f8ae2eeea4a39602f0a905918efd8bc2f4d5860b1ac676c08a4da SSDeep: 6:eIsm4kWZIVGrrXOkZ7Mm1Ludnhd/f+DIGIK1khSpkXNX/uAdacpbmouVhGSqdbM6:exQmrOkZMNdD+DIdSpkhuvQbL+4ZM7ls |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint.lnk.RYK | 2.67 KB |
MD5:
197ac726f866ba05bb3d8555a21698e0
SHA1: 5605ba77767a068f176c13b37336b173ebf89e50 SHA256: feeb5fbb4711727f4c1024e5fd3568e88951237e3f4b4eb24a770e8eaff9db15 SSDeep: 48:W8f8kbfEmlcposjaFU7l1yHmNIbdTgLnVY3GErL9MZvLMG9:lf8HmlcLrl1yHmN4TgLnSrLAL7 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.020.etl.RYK | 8.28 KB |
MD5:
81208c2cb8b7efed157db359f2493927
SHA1: 94fabcf3bb1541d0eb16dd30636989ec4c336c35 SHA256: 8653b137af7cf833061d813617e9de5017b26fb9fd570510df52d489eea2e61e SSDeep: 192:xoyN9Ix2BMYANtb8WibeWfP7GDl9PHqNh5ts773CAiAP24gX:xIcBfANJGblrG/qBts7G3AP0X |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\Acrobat Reader DC.lnk.RYK | 2.36 KB |
MD5:
fd8cb88bebe16a264f2f6f3d7d585cce
SHA1: 6756dc276f205d117ffac3b99b6f286504588b62 SHA256: 98b6a9d79a66d8c2cf8314f2e01d8fbb186ec6dbf59c9ae83155842b484f4546 SSDeep: 48:M1OT/1Jb1+pGzAjBqxMifdG0zf/paZLWRm2/KAVLSc:M14NJBXzY+d7zHYwRmwKoSc |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Live\WLive48x48.png.RYK | 4.83 KB |
MD5:
936114b384b6c94a7ce2b45139ff8a74
SHA1: 651bcbee6f518fb5f4111d8d5f13dc6cb937f374 SHA256: 309d174ae68f33ffe642a12de1986a91585ace1113b99b02113fbf0e112dac72 SSDeep: 96:ejXBdc4ZqpU7BR36UU+cRXxgMLcD3dfSoK1O/vrozAzgx6X0yQzB:ejXBm7psqUUfv7LifSoKvAzgxM0nB |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini.RYK | 0.64 KB |
MD5:
3f22e9ab196c6300de295642ab200c4f
SHA1: a33ef5d217818030d3bb6c8322b543f0f357c6d8 SHA256: bb83c9e4734946424771c4eec114ecc27bb56987f67139aad6d1049113b675b8 SSDeep: 12:RyPnbmdoVXf6yX3TZvMb0TNGLFGwWwtLDxNBRAG46w9sFOi9Xb07l+L7e7bvulm:enbmdoRf6yzZUoGFGwWwtLTBRwQX4we/ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Steps Recorder.lnk.RYK | 1.35 KB |
MD5:
22fe18e0c1456b8f2f1f58d029720d35
SHA1: e1bba335bf0367b9989315d545e10030a9c2bb54 SHA256: 11e804091ae1512e4827446e7271dc005bbe172be10cbbb2efc563b025587774 SSDeep: 24:NyxcbpajYmvw5qQcZceHHamXpkj0u5JWJLxOFmdahpR1VHKGxrPYloNLgD60R7:msp5qHZcenarjBaLBdah/vrLIoN0e0R7 |
|
|
| C:\Boot\BOOTSTAT.DAT | 64.28 KB |
MD5:
ee3c7477ccb7d145212194725cc07079
SHA1: aec1410ecac866150ee3de35ab58571c50beba3a SHA256: 44ce14778dc497ed692f430685e843b095b06431846849fdcb5a81b3b5914753 SSDeep: 1536:Yf8eXrXTgpw2I5jJK+tqj2s7lCLHyPz+mW4Co9wLXw1m:DeX7qqjJkjPlCuL+mWd |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\dfrgui.lnk.RYK | 1.41 KB |
MD5:
060643a6596b408994ade1dbbb0ceaf8
SHA1: 98b7017c79785ed6e6dd68a09178fa0391e9d6a9 SHA256: 9df6d74d404ed4ce0052872764aa017a2952a4dcf69914405fc94e14b26bc3c5 SSDeep: 24:ZrUoXUNUNiiGxGFVRwNqw3yg22/AETrfRGqf5spyl+0o0yWoLS643D:ZwoXnAlx4wswiV2I6LIqf5sEo3kD |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.001.etl.RYK | 16.28 KB |
MD5:
9bb9b7cf666c6f73d185ca69db3e1a44
SHA1: 26dfa84508ed22a78272bf985e96a3a98fa3e551 SHA256: 4d19d2353490bec75d6904706dcd19b516bd16615bc1c6d2938f2e74656b4ee9 SSDeep: 384:QMRRB6uQoN+58ag5zct0tnd2eJlkJasXp50QBVJi62Z2xt//5LnPM+L:QqRBTN+58aSq8DGp7Bj2UhhLZL |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.016.etl.RYK | 16.28 KB |
MD5:
a348324e7650989118e0207a3a5b61b9
SHA1: 2b1ab8f0e394adfce1dcbf0e0ef75aef710692a2 SHA256: 4f508fe19f292daaa76d9c569607518bab1dcf657bf6d34e3ab63dcfe764f000 SSDeep: 384:6mN1NOS03T/nRumCQNrqMwvETMxWRi6lhAebdA6GU:6mNl03TJz3UEKWjYemo |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\09\287.RYK | 0.41 KB |
MD5:
1be7a89964ce578fd13124cb7fd87655
SHA1: a354ef86d45bcaa222472d9eae07d9e93338a4e7 SHA256: 60634bdcde7085271f0a2995f07816bde8727d078fc5e8de6bfcd57bbbe86829 SSDeep: 12:yjH0GTJgTXV8pjhdXVDcIadEdMBc98WTXC:yfJ8XgwIlywXC |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access.lnk.RYK | 2.64 KB |
MD5:
e4f239f2ba44e7ab57eca2d8eb406707
SHA1: fea3aaff88008ccca30ee9ae686f71eb5a08bfcc SHA256: a96ca28e12da38b543f464371f08988be133e5f92e6031511c0503d76b0ed2e2 SSDeep: 48:bznoj6bcacGU1EtUJhsSWR86zPEM3L+jqL3Ze9EX8sSDcNrAsIBiCVGwv24kY:/25JJhRURDEQpG5HBieGwO4/ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.014.etl.RYK | 16.28 KB |
MD5:
917e6701769f9859a3e9b5afb57b2f6a
SHA1: 37997c09be8bc754f799308b353b8bbd6532ec02 SHA256: 87c9587130e4f6a664c1b1f059b4a6955dbcc9a483c1170163b5c1c9bc4932b1 SSDeep: 384:MgAVHMTVkoDz4bBdCVE/atUS2/07gFSiMU7tzb8ykgAHrwo:As5ktzC407OSitzigod |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneNote 2016.lnk.RYK | 2.61 KB |
MD5:
7ea2d1ba2d43cc1eb59119c2de1e60d5
SHA1: 218576f789380a07152b02bda8f185779d33b220 SHA256: 0c71d383d6cfac94a36ed46b4627a8a88d529ce6d3e3e77a2dfb4e84c676521a SSDeep: 48:f+l6XgFTV5FVM6GwLmprlEkCZ33EQDWOLTkTR4/6GCP6tnssMX8PQKqb4bb0swt1:fq6XgZVzVMKLmpy33/DdL4R4SGS6t/pm |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-192.png.RYK | 2.63 KB |
MD5:
abe2074a8c416fd964d13ff973b97368
SHA1: 8ef8b76b4af637e0073d6ebad3b68f90e3b1aa40 SHA256: 8046b205b05c1d37a7037d1ec8c3bfdd35213e33cb5e70ceab1d47b57b6ffbae SSDeep: 48:/22m3s7WE2hWxoGEW6Fih9MfeqevKO+r+KMvxFj/+G+z6j9WsyXi0OHFALvTDDS:/WbrmoDU9MmqCKOBKMpt/D+zG0Xi/HmC |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access 2016.lnk.RYK | 2.64 KB |
MD5:
0932f2431e40dd3ee16e2b5909a2b1ec
SHA1: 90dce56c12121223b9b2e034f2749aca671195f9 SHA256: 2781158908943c3ba960e25ec8b6f69884066b75053ff1c2783c912754ff2b84 SSDeep: 48:oBXk0VjFnkiUfnMEo7fQJLaE6vjtyakNN1UGSM0keeKYn1dkhI/iYw0x3:qvlLUfnM17fQJ+vZyaYFSjeKYnAhIa9S |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.008.etl.RYK | 16.28 KB |
MD5:
4458721620302e1f7cb2e08537464d27
SHA1: 9b51efb587b6d1537e40767e09c33cbc6949cb7c SHA256: 37e8e610257f74559d0a7b2337582b6021ef21b129098047bfc8e1ebb27ead72 SSDeep: 384:0aZ6eecBNafXyCHYqoMi9i7NhpQSFAMBKJ7IYSz1hq7SGyfDkq:0aY9eZCHY7Mi9Ka7lSz1hq+Sq |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\13\278.RYK | 0.41 KB |
MD5:
cfac14186d987837714f3b6a4dbb65bb
SHA1: c92b3dad06af391babd7dc9d790582f4578cc74a SHA256: 629c68a983a6cc03c75ae372ac2017fada00acd0e00a0ce5714ad4054df4fc6a SSDeep: 12:nxAxOlUupOd4U45/zSaBdJ775zIYhSCV5wtf:nxAE3oeNppBtMYcCryf |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.010.etl.RYK | 16.28 KB |
MD5:
537a8238742c34050a7f964823a02709
SHA1: e39ab44ba4cb71fa87f59082f602247d8b4159c9 SHA256: fb93092ecc6165cd1bfa0036d8abe56151f5d8e7be05abd69af6c6be00946b69 SSDeep: 384:uhqTYgVeyD4PsTcp+i7bxVZQnNtRwu6NuxLz7HR4:bTlVxaBpl71QnNtnGM7O |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\06\13710.RYK | 0.41 KB |
MD5:
b4db030c2e904c9fda241f34990318dd
SHA1: c7330022813a8f80ab1957c5892ce1493cd522e3 SHA256: 3946e95c16a5ba78190a856c28459fa9e27b65e6536e0d4f3bed736911d08984 SSDeep: 12:pe7zd9i8w/xtI/+qXQ39Om0MP7a5wKvqaGrH+dZsL05O1AH+:pen/twJy/+CQ39j0Qiq9QaoQ1Ae |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\13712.RYK | 0.41 KB |
MD5:
58fa4680084c67457321a9700c32c8c7
SHA1: a351f269501c30aec5ce6be29c4c238989c0d201 SHA256: 48ce45fef456744928be378278ae4ffc9bea7ea6660dbe6875fa72e505a6b229 SSDeep: 12:tEfMI2uWvDhr6iDJ91iJeN74aSVU9Q/hTjv6s:tEU5uWvlNDL1iJeNkaSVUm/hT/ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini.RYK | 0.44 KB |
MD5:
828fcaad5d68f00b8529ccdf29c9374c
SHA1: 536ab2655f8edf3b0bae2cde80ba14a1a36d939f SHA256: 9db1c9c6e5b3d91532837183406a04220f1ac1c9c2ba5d3dbf13b39bb9377ad9 SSDeep: 12:BDxCp6l0xt/DkBvhx0KuIQoUNT9Wni5bL:BDk6ut/qTuFoq9WSL |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\setup\refcount.ini.RYK | 0.30 KB |
MD5:
61bf1c3a86cab5b9d0a9945bc3dcb080
SHA1: a2bacab2c025726637e77d666245690987ce9be7 SHA256: cb237247ed1a6e9e166fd5a25c8565f38ac49b6a26869785cfcf181f33b8d67f SSDeep: 6:Lgs6SbQEO6yPHnQ/BhxreXHFn8Ls9p7oAqxWD9UEpsAPs5opFe1gU8uD+HC1qX5m:Lj6SbQE2vQ/A3sq7okD9xhPs5oK+uDT5 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\04\259.RYK | 0.41 KB |
MD5:
978b748375dd4c4ba4a28fa6d02b3478
SHA1: 43ac75befd4749baa672dd7a28f4585a05fdca72 SHA256: 377bfd83ddc7b50b817e3cb5131ff9186a0f92c8f25b6c24226bf16eb121af11 SSDeep: 12:8uxzufL9sBL6TsVi9cSYu4SvjWp4lrMA8IK+oL+dz1/3URK/Hn:nxzuj9sZnVecBSvVWIlkeqRK/n |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\193.RYK | 0.41 KB |
MD5:
5ecf0a864ebf5cf90a1cd8cf70422380
SHA1: b37bc2464346201e36a82b52bb6c1ac01a4abaac SHA256: 053c774ab01dd685ab88d152d1aed295a2bf5f0d9702a3a794c99803bf3b613b SSDeep: 6:Ecoc3SJpZGii3fjpSrseaQ7nO9HftP1Pu/sQtmM4c9AvOsrQbcjoS2LBMSepVCI5:3oc2ULvjIS/ZEFm+Ze2LBMSep3oOmG |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\03\324.RYK | 0.41 KB |
MD5:
c5378570aac28534463012e399721865
SHA1: f2c9d66c3aa1756ad056a50ccbe53cc42f4c2183 SHA256: c655dcfa93edee160394f7779598767d8fb499ebdeb9d9818cf5a96d2793317b SSDeep: 12:dkKn3kXQjrzDy3ptw/K+LypfolpcUGCmQsDsB8:ZnlrnyTCypfqHGCqL |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.007.etl.RYK | 16.28 KB |
MD5:
a1494062d9e39ad5429810d3b1db1535
SHA1: 71457a5c0803ee01597486a5e43d2d7caaab940c SHA256: 7171f959b71023acf0bd42f840a521f448bdd215289e75642f8a8b16e66819b4 SSDeep: 384:f6cvXxEY8MNZ2xaOemRcHPRXbYsSsFhaPIsar2n8KrYutlk:9NZ2cOeKsRXMsewsU2n3rJtO |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneDrive for Business.lnk.RYK | 2.42 KB |
MD5:
8d10727ce5eec2497f7c4c45a2a9ea16
SHA1: d53c8543b9d2c784f459607fddc3b224ce474d15 SHA256: 53c6b1f52d3d504ddeef3dde271666111619bc4b55d0c85bca3279ed92e56496 SSDeep: 48:f0to9TdVHa2BDAURwdVuRP5ruvA/h0tv34MyGbiBMpdTBk/RIGrvFBFwktqsfvG:f0toFLH/DAU+udkvAJ0hEKxTBkpNrvNW |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk.RYK | 1.60 KB |
MD5:
9ef9eecd22e5d3d46807386d5974a7dc
SHA1: ac8d2aa103b343896a305a9bb8ab9fea3b5b6f32 SHA256: 787e7106a6f60741010bd7cf68a4ba2431a33421171abab08ea840dec3f33cf7 SSDeep: 24:ZoE4mRN8OyR86ba4Zi94tyBLrdvZrX6gP+fF72XIjmzXjdCiNiDTEwxXJ03TYLoR:KE4EN8OyPbZbgMgmfBEfjBinEyXJbosy |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.015.etl.RYK | 16.28 KB |
MD5:
a815890cbc7470df97b220348e80cab2
SHA1: 222bbfdc7139cfe81915eea6bbcb59131670cf10 SHA256: ea26fde02e4f7f1d76f79a9052fb0c6b537a18c435b5348c991558a8442d1bf8 SSDeep: 384:3UEVTjzGa7GH6J5FmcI+gOX95YFiNYZlw48OdcNOJl:3jVTG3SAcI+l959Yrw5O+kJl |
|
|
| c:\programdata\adobe\arm\reader_17.012.20098\acrordrdcupd1800920044_incr.msp | 10.00 MB |
MD5:
af3a54f42cb79a0ef2e8899b0481cb83
SHA1: 4576a1c410e8e1d68c814800b08741756ef35260 SHA256: 397ce76d3b2be20f57254f5fa80188ff36cdea4e7976a4f6a1033d481d729bec SSDeep: 196608:yu+S5/KMnN+wNR5bnZzwitGRFJvW2YxWCqoM4ffR/uRVr8E7ejFul:Y2dN+wL5L6tvhTCqSIGS |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\271.RYK | 0.41 KB |
MD5:
0a1701d57d9d3cf27e80fb6e5558d6b2
SHA1: 357753219004748abecaa009ce1a32366d78f5a8 SHA256: 16f473be00daf2e1b5774180426f239796b421992deceeb5a86d943c15572ea1 SSDeep: 12:5VLvITbEB9x4x1VNap1fFfoo8yvaBa/G1mehlSXLsQn:bL4bEOVNaXhrl/cpOso |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Visio.lnk.RYK | 2.38 KB |
MD5:
430ded87ea857f3768a236e6ec8ad2c2
SHA1: dce0b9dd76fbc8d41e8b24edf3e074a8052e11c4 SHA256: 6ccad8028024f7896d6ce88e7fe414d84d429a520cbeff36dba349b4e3f98958 SSDeep: 48:uIPIlkVuP5S9CKDO32rdwNJO8EdiRAnkxLJhEkcr5RBmy:uGI6uhS9U32rCJOZ8aktJGk+5Cy |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\04\261.RYK | 0.41 KB |
MD5:
ee372d866fe53d0e22189f564ee987ed
SHA1: 8886bb3bbca68330f2468192e206f665aa59fd79 SHA256: 20d29d1444b6650ecbaf440824cb3ad61de1088d2bd108409cf57863041d1fbc SSDeep: 12:t1T7bUrUJjYeVVKAUc5mjh7sOerPjJ0iyIoFeh1GzX:t1T71JzVP5mxenJ0iNezX |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word.lnk.RYK | 2.67 KB |
MD5:
99ddf05a02ac05de1e5162f7f22bca4f
SHA1: c3d6fbf98c339271afc11ac466cfa901c31ea4a8 SHA256: 16c3819fc0bcf59e56a30a373a53b765fd451e4f2677c9547f3caa63c016ff56 SSDeep: 48:fkXKhPoroSs8J8xF4Uk3DP9y3Onf4WBMSJ9WwOyLd5B65XsOgCiZ5N:cMgrG8OxFa3DPo3wtBMA9JOyLdiBsM2N |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\12\194.RYK | 0.41 KB |
MD5:
6f3f476fdf0734f0e79e3cd9fd045a4d
SHA1: d782f0df680f210881cd38c2ab9f764f1396fc18 SHA256: 49c1cc453e433c3183b490a5856d586ef8aeaf2f185cb5d824f62341fe90ba08 SSDeep: 12:4UJZ6EV6IhW7lj/Rr4Y6fsnUkJtjTo68njn:406EVSlzZz6fsnUkJ5UJj |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini.RYK | 0.44 KB |
MD5:
74814d95e0c73b784bbafab922d337df
SHA1: ae02dbe434ffc6bc5b9bc078a7854bb93c31efed SHA256: e32f6df0408394ed9cf54f10df53ac1e5e8539ffb606cd38157b1176375ab1ae SSDeep: 6:B6Owoc10XW32WUce7GKocEnYnBYz3vpRNup14/Korqf2p147FzHRgGD2cC3BbwoN:B6O3XQUzTnBabIb4/KorkS4ZD7QqsGJQ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.018.etl.RYK | 16.28 KB |
MD5:
4169042795ac82a916d514b076e5ddea
SHA1: 289440e242b57f009e515cae25b376347af90949 SHA256: c8dab05483308cef0afacec60b7b3d3332b509faebf8366856f18b96d83d0e2e SSDeep: 384:ecKBgCbXDtYgvai3jC8dgC657b5UMKZD0bIbyJtKv:ehm2tiNC47bz+cKv |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedScenarios\Windows.Uif.static.RYK | 2.83 KB |
MD5:
6cefbe21d2fe37772c38f8703fdc7d9d
SHA1: 6a9c9383b773990c85d78cd9980921af2a9741c3 SHA256: 5563441cfa910cac1c8be72261a9ad8c625f411d0f057ec055284a7af600d391 SSDeep: 48:WG46EDS9SslfEzY/VL4H520Chp06XIhSUm6ONXUDDSFOjVIUJu5a40pDTcEBKOOo:54VDSL0sLII6ONXyJIIu5a40pvcX3JM5 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\195.RYK | 0.41 KB |
MD5:
79023922cda2bade4cebf3f5b633105b
SHA1: 8394074c5e016d2bc32b9cb2074a811f5bc6378f SHA256: 85a779692f98352b90a756526a6bdf3973bb2bb4eac1219bca283b0a43d2a341 SSDeep: 12:MMOu3jTP4uFHPYmYmOEVax10JC4g+PT5yi:/4q8nL10Ut+rV |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\198.RYK | 0.41 KB |
MD5:
1a05b7af1cbe702a53c90cf011423c26
SHA1: 6fec8ba38cbefb44d2669ca7e2fdf0ecbd9488b9 SHA256: 48a46866c6e720d1a9165224dabf81d793ff47fdb617470676d6af3e6951ef1b SSDeep: 12:vvXvsG+hxRo4HvDyS1oLLDtfuz3b/BeSPzGybIUn:2hxfb9oLNfOM6GybB |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher.lnk.RYK | 2.63 KB |
MD5:
ad1f6a4e1925d09743a103fa6106682c
SHA1: 130f93d776f022fda340615c2d556369c1aa52f1 SHA256: 249dd4f7ceeb9741f16388acee6129c03d443bf00d970dae2b0ef606a4cd0860 SSDeep: 48:RvNnfaSU1Gp7ukV+nZhkziwoc8exgpwrJ9XTPTZRk+99oZcV:RVnf+GpCVZyziwUHcPTfLDoZcV |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Immersive Control Panel.lnk.RYK | 2.56 KB |
MD5:
db64cce5274accb4d563fec45287f918
SHA1: 078834fca5290e21a18420c5d582b0a3fe97ab8a SHA256: 8718265a8ef7e7013ae317bbed1eb00b116ccea71c66de59e403f8eef36a88c5 SSDeep: 48:ndk0NBjO4JYIJY5Zztgm1wzNNywB3WOels0EOnHp8A5xZTKo:dZBS4yIJqZZBwBNywB3WOels0EevdKo |
|
|
| C:\BOOTSECT.BAK | 8.28 KB |
MD5:
b0b4b99163599acffb8aa5f7299f553d
SHA1: f8732a3ecf5425229c3f582cc0874657f9b63f57 SHA256: 5a9f513b0f92b1d7db8287ac871830ef234202e415d2b7ec0fe5b35f605cc983 SSDeep: 192:LgktNgEGM1HIuauqva6JomM4ozAWHsuecTpHINH:Lg4uEGMpauUMpxreclHs |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\XPS Viewer.lnk.RYK | 1.38 KB |
MD5:
29137a89f232c70d37cab8fc3fc86631
SHA1: 453e25a226a4cde70ce6514744d32d153e50a7b1 SHA256: 0b07d67d501daf6e9640bc88995edbf90f096a571533c8d5f47b00ebbff2aa97 SSDeep: 24:DopD/CGOxm3XYk61HgDMQsPujHz1NMpT8VoyYDxaRri6wfp/M1Z8QNGIMCTt0f1V:siDvAwuH1NzVtY6wRRQNGIX0f1A+gu |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\22\323.RYK | 0.41 KB |
MD5:
500557235213a0179b997cc69ff86d85
SHA1: 899b3ae875788e154e5aab79a12d101ad9c2da56 SHA256: 3c6e2004f1764756400ba1751cb5fa669f9ec0bb55ecb1ebd108148727cb482d SSDeep: 12:4/2skAZAnLOc5mih/Xow0+x1A37QyRlvZ+:4PpZAnLAo/XowKTvZ+ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url.RYK | 0.46 KB |
MD5:
1e21ac75075377cc44e12b34b7a59611
SHA1: d722aca224042f5b327a38851d3ba8c8fcb613be SHA256: 91a3df9fa038193f7c5438b901e6d72118d3838d352197df97069f4de96e6772 SSDeep: 12:vJpQJ+KaF1c4a9n1pLgs+2Ex1VJevwEz8yR4uQRHZymWR:vJprKaFO91pLPg1VgH8VRHZymO |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\199.RYK | 0.41 KB |
MD5:
45cd1b02e4d49f129a485c08e74655ba
SHA1: f10e2876a5cbe6528c0cc4e2a4d9cbef1036ee89 SHA256: 64da9b7a9e8798e35d34f5e282a15a03bac6f925f475310e0083265fc92f4dbf SSDeep: 12:tZk58gB95sNbw6GYBFsGz1Bxe1Swtammxm:o58oew2F5U1N4po |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\11\200.RYK | 0.41 KB |
MD5:
4abf4e9138c24c9f866ad0b2b08d1b79
SHA1: f5ef537d8a534b01322bee6fe940c437e7f31347 SHA256: 732fd9e984ece545a711c3b9d3c65920f1234d7f163227c19f482f57b11997f8 SSDeep: 6:ihxDMfV2Jw2OBs9BJT3P66Zmal6LJjkn7YavyC8EggI6kA7cuiwCiK/ouVYRqgOK:CJMfw3OBs9P5miBaCaeihiKNVY3OTWV5 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\13719.RYK | 0.41 KB |
MD5:
ec1b9daa8220a41210f4a03bfa4e9899
SHA1: ce50415d0beaa4a95a0c59bd2ed5e9942607c6f1 SHA256: d11e67771f7b4952779275f22ede0cff93af908e4221aef16117d5891666c3bf SSDeep: 6:w1rhcprRQ0PGkPggbupoBwwaj/OcubwpHkzw1Y1vZ+1DzGiWLGeq4zrZpRWKyn:w9hclRQ4gVoBwwa/9ZsZiv+ieqgnRun |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\300.RYK | 0.41 KB |
MD5:
49dd7d0937ccb31de59125205876af8c
SHA1: f24e8edde0347037716ad99d95b8bccaaa955657 SHA256: e5037c3c62dfbe5ce744115b6bc086263640868133e986c77dbfd6d2d28b7e72 SSDeep: 12:VfIXpe89SxMw/satlDFNkVqH2xys650fE:2eHfsajDFy+2xys6+M |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.009.etl.RYK | 16.28 KB |
MD5:
07b60f0eea653e281b3e71a395ccbc32
SHA1: 532df42548c0216d2c13b7d4e991c1ba453edd3b SHA256: 36259de763fb60080a0419d4767000bbb378691ab559852bb9a86c366a0fb42b SSDeep: 384:FFh2jNt2h6+TQXd0cRrImIIwU4pu2xgZSEVA6tLdDDphvZplG9:FL3h64QX6cdImIIw3puWySEntBphBe9 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\2\94\A75BFDE52F3DD8E6.dat.RYK | 0.63 KB |
MD5:
c6411616238c7a68b1a0f53cc257b277
SHA1: bef61368a3302e4afabfbebb14ee026eb3301aaf SHA256: 3e2c20038909cc2da93374cbc0bbae9ef862ba0d489d52b3d5866c3d667b830f SSDeep: 12:vv3UD9zSptSSe239Es+0WlX5Fb4m51p9TXZa/5ZynrNGwUBdHHsCkJ7UI:33UDNSutgf+ZX5FcS7tXZaxZ05GJdsCW |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.019.etl.RYK | 4.28 KB |
MD5:
0ae393b85af97c447d750fcefe66934e
SHA1: e4cf1596e475197508f1ddfc25f625f466f03c15 SHA256: 9e1af182644e3cee8f710e77e63e608814d1d92d3cb354b8aee1208707f96948 SSDeep: 96:nlCd75XsfQbmLV7L9jE6uNPgaAAWjcqVQhYVhFfdHlS8Ffnl5:lCdGfIujEjPqOh8jVQYr |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook 2016.lnk.RYK | 2.63 KB |
MD5:
1fd9867683e75574c9ad550399ea36be
SHA1: 9ffd7f2efb00df0a842f38b497532dae81e43ffa SHA256: 8ef50c62945d015bb02c68ce0a67f10e23b8fb9d22064f64b1db6f2f884f2ffd SSDeep: 48:aAdH4rJHNMMSO3OuApVxRb01cfC5YlE37WeGaix2TqZ4+H4mnPwfR5+fnNcS2T/I:eNR1AxRb0QeNWehix1W+HhPC8fnNc3Tg |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.png.RYK | 5.55 KB |
MD5:
8a9c3fccd9800d854c41d7983cb48888
SHA1: 8453cba60660f795f429d61f4e6c04757d8cf8cf SHA256: 3a59b18bc55c654fa312c99ad2fd34eba042e88cedbfe46b672b8020ed2db630 SSDeep: 96:6WW75v4rGNaxIk4YZdAEoJL5n/Hx9jdfZc1WywyyFO58rLdgz:6f5v4rKaCkEn59xfZcUzTFO58Pdgz |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini.RYK | 0.72 KB |
MD5:
e46ecb563b50db556c99ae73c5e06181
SHA1: 4ebba35a4a88b92c7ca8e6de4a5c305ce63a4134 SHA256: a6d538b4cf409d7d4678d44589a9ad6bab5af39241cf722270da59e1a624a3d4 SSDeep: 12:8Fr1OFODABevE/w3OuugQIyK6/cdvKGHYYVmWkGxTRzzc4mS/Y5iQm3GJOf8UdlY:8FcFnByJOuup86yYYBkONHYQQm3GYfL+ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\20\189.RYK | 0.41 KB |
MD5:
ae01329796de6069be5b3ed20ef31cba
SHA1: d53ac5cdb765f09a5dc8d1939fd40957c0d9f5db SHA256: d222dfdb32b42f09607b893594ed434318afc8e5d519bf51c60a207f212a73ab SSDeep: 12:k9w8ZzEZKQ2mm3Bmyyv17UqTCN9rCa47zmp/xla9:k54knxmx1QqeN9r+zmo9 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.2.xml.RYK | 1.63 KB |
MD5:
2150ceaed0e677f3038b27fbd81ddb64
SHA1: 9d84f03a96c43ae17c87325ed05dd5deaf7ceb5e SHA256: f4e39a515d82181f6db460b221380d386731b3c864166daa3a0274fab4ad719d SSDeep: 48:gokSZ8KFbuuFNXj9d8xLXwScNl+1aMyJ3UywC3fBDycy:bkSZ8KluuZYr0M2995DFy |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.002.etl.RYK | 16.28 KB |
MD5:
4448da3e8a3413cd23213ef3e5180148
SHA1: a7fc15e7058f2f2764436b52d93fa37a2805e8da SHA256: d203c4fbdbcb889be1df09f369beb2ab1068a97f22291ec7654359b6d017b6d5 SSDeep: 384:eye3cY7IRzlbmrlK94QW9Y3ryEt22Wj6o5aBdfrJ:k3cY7Ezl8lK94a72L5g |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.005.etl.RYK | 16.28 KB |
MD5:
7965ab3d9562bcba774b36dc16ae284e
SHA1: dda8133df3654fe430422e95be50da11944c391e SHA256: 7f10aff392197c9433c5d62a9dd8d6135af0b5d7944b49a1be61f6f0d4c01089 SSDeep: 384:7kqchLUgpc44gCBMGC7D+rNHN9OQTbkLMSNwOu+esN8XzOjD4G2kq:Aq4cHgCBMXD+rNHN9zb3zOVlqzvGzq |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.1.xml.RYK | 2.21 KB |
MD5:
168c15134a44ce93ae34c0289a64f082
SHA1: e6f252c72d2b1afca463b38eb238073ea86b9326 SHA256: 073ed824f4c90e18e75bf20b9c19fcf90b47bb00c50c389d4d0a1ef7fc3a7637 SSDeep: 48:yWBKcyTI629C+cNv1ELvZt8tg6ZUb5dQ6I3EbQmAvcXD:fEI629KNELvoRZw5dC3ZFY |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Desktop.lnk.RYK | 1.11 KB |
MD5:
90be73ca7675faa2561708614902076c
SHA1: fb0ed9fd8d60d20d762fb423799c49b114e3c932 SHA256: 00b5ca01998f447a1f3244a1ac88f853daa3ae8522576ae9579fb6aedcf58809 SSDeep: 24:MB7OlgS4S2laytUZJD9wKy/UwYFoQKa+iKCnlJdZ5jU0D2pYoBzqG:MB7O2SwTUG66rlunzTMGG |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\services.lnk.RYK | 1.41 KB |
MD5:
19f45b888c2805a123e7c56f50f7af11
SHA1: e06c2d7e00a4d78b902fb494bc6df576a57a261c SHA256: a6de2eb6433f9b42735705120b2304cd6639bae10c98d920fae8db8ff6a2840f SSDeep: 24:IQB1SGk5NWd0O3GLbWPlSCAUPRu9zPgmM0zEPylr8Q4yMNI5RI6T0HLMu3HjlKe2:Iy1SGk5cdX3GLbWPlSCAJBAPylr8Q4y5 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Paint.lnk.RYK | 1.36 KB |
MD5:
5081ec8c133183592443d1a086fee6ec
SHA1: 927faaabcdfbbe136f10d2c9fc50d652dbc673f4 SHA256: 79d456261ac9e63135e2829aef9ba3638d655702c8c28944bc377fe894a481e3 SSDeep: 24:kgNnseVvgM3/wIuAHEUT8eyfsR5jmwTprA2UHRxpTGHtWCC6+AfmcL9pCjFimYHc:xnZVoMvwIMUT8eSa62hALrutZEwKEHJO |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Snipping Tool.lnk.RYK | 1.38 KB |
MD5:
c9739df832eb21a1001710710c95c174
SHA1: 837e6bf6d7072fb9052f5b5cdaa9c349c90c3b28 SHA256: 218fb10e173ae084232ee8034a39f47dbd466b95578ff26404e50c8026eb207d SSDeep: 24:e/ZTZGcS3mkJdQGoBJv/BQM4UeA+hgAG1KTVpDKbEpmXjgjRhL2qWlXevRvNlX3E:qtZGT3hwdHWMeOD1KTniE0zgjH2svRv4 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\10\286.RYK | 0.41 KB |
MD5:
4f5ede5df13d963ec35ced308138702a
SHA1: a6892b4df75f929c558766b52578c0a61f8583d5 SHA256: c814fd9bbaaa38dadb00beb5ddbe539e489a52e37b2c75ef69f5b16739755dcc SSDeep: 6:nrgXxcsnOK3cC4yug8SQuTzHINlYY3Bg7gO+FSyQS6Gx4djBJbA0O6B28bqApZmI:n8hrpcxyIuTLRY36yjHxos0TB2k9Z |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.021.etl.RYK | 8.28 KB |
MD5:
79b7b5b6dbe7c076af5ccf0740d00526
SHA1: 781834e658375a417bd74aa769a2065ae49cc57a SHA256: f701cc524cc89ae62288d874f5085ff6cfdefe6ce2ef0174f8bb3be5dbee8061 SSDeep: 192:Stu/Fd1KkJ01OTnpfv8cfOKxJ/bONgVva0rHK:iUD1qOTpfv/pX4gVvd7K |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.013.etl.RYK | 16.28 KB |
MD5:
55c2ddca19bddec73d5b6200ee377d6b
SHA1: 1264e09c2aee48be0929566d3cab2a891d22da6a SHA256: ed1d0bd3cbf41ec3e80225c15b74eddbcb6a26bd80dadd406b2f98f1bec3737e SSDeep: 384:OaHSPyn18v4CPFtjg9RqpeKWV2qU9TiO2ts0QwjV6agMXMO:bLPCPFt2med2qU9uOrvw7gCMO |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\272.RYK | 0.41 KB |
MD5:
ff1499d0b88be8351dc80cda2ef08f0f
SHA1: b897aa92e03cae2ce3892cc497c18266566e32e3 SHA256: 9d012674db55eba33e7acc3779f7e61e1603512b84feaf1bda7759a1b847b3df SSDeep: 6:BK6BfsylhSVjTd9WW393VqH7bJQzT2lpWZkZYRD0K225TwSMT6Q6r0+E0In:1smwfd9BWbbJQMsKYRI2q6QA0+Ezn |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Task Manager.lnk.RYK | 1.38 KB |
MD5:
939c3de2b51064e64a1ef41f4e4bd6d1
SHA1: a4bec1fb9717a9f89f4c9f4577955ac311d25112 SHA256: f24c009979cf6ad194e5c7ed6967bacd9be9b352d88f28c1e597994b9eeabb54 SSDeep: 24:ZtLI8VuAFnMVgYctRQXvvplRsHXFNj7Fhd8NFPLFgy60uUR3kWruAaZZIKutgFNk:o8HSqRQXvCFNj77kzFm0uOdCAanSKNfM |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\317.RYK | 0.41 KB |
MD5:
e13c4688c49b4f33d8b33a37ac260b20
SHA1: 4763a187b4a73c332beb54667e310ba14887f189 SHA256: 25081fec05a4ac570f766adcb83e5a2a87d0f08880f482f574152102abb2fe54 SSDeep: 6:Ehje0HMdQl+++/U8HCC+5fPnYoUDSJ6vrDpLzTGpa8st/PhEnkS+iSJ0DZyld4t8:EJ10mgHePYXvr1HTG5stHSkKS6DMa3Mb |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\14\9664.RYK | 0.41 KB |
MD5:
72f911b6d4bed5dbaba0edf4d4f9c979
SHA1: 77182aafc83c30d1d96cc51142458dce0b894277 SHA256: 05f3f1cdd0c2167298799cbf45a520791cb057dcf51d7084323538d2aaf798ef SSDeep: 12:+DjZRO7ykYDtDRE+OlwqTAaJtBNzXik8R5uHdTV:+DuGcH/T3BNjTHhV |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\263.RYK | 0.41 KB |
MD5:
f085310b0d0639bfa798d17dad9f35ee
SHA1: f631e5ec18fb2a9fcffceb20f0dc470b47d53d2e SHA256: af17ff6d058f08a55061a5dd9592bef98d8be3adf32359dd712a9ef3871cebd0 SSDeep: 12:LfMMxeO9f4FaRYssyjOqTtgGymk4QW9nw9VVgqDoag3hMQ:He0T1j+Ina3Vg4jgxp |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-32.png.RYK | 0.67 KB |
MD5:
4c949aac3c40079f34f6e585a0cfef5e
SHA1: 21930dd7b1b3fe415b9720893ce2639118ec1181 SHA256: 5a0f6d162071ad33f83f591301baebd307222d90027e4e01b1c4162b22680ab1 SSDeep: 12:NoGDxZbtfP72svRueJ+5Sz51XC2CfSU5JUJ9hwuSgxt/r7EYMOC1IZyb:NoYZbtXpv4E+5SzTCnfSWJUJ9uuhx5En |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini.RYK | 0.44 KB |
MD5:
480eb25fb5badb9cdb07e8d9f31a2d5f
SHA1: 07373dca2a3e7229ffed98ca7cb92e52ace07d3d SHA256: 3d0ce59b0b1351ee1b6e882f353ce80378e7fe387ae99035bf3b06a79b083e18 SSDeep: 12:Uinp3dXwjN5CYwjx4JDD1DFvujXmU6iOc5j:DNX0rCYiSBDJujXp6i1j |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\MiracastView.lnk.RYK | 2.44 KB |
MD5:
143bde3ff69b532b74e76f0dd7eae9e8
SHA1: 6352cb43bb4e170f55c0c1bd83ae4dc23a723bc2 SHA256: 7b7a64d27757fd602532e49a2eea80be35d7f90ffcf459a0ed33acdc3cfd1568 SSDeep: 48:e5F0+32B9SmKyuzLRzQWtksrdnuULPkLnqOcDf8I5pfWEisTSL4o0sxB:e5KII9SjVzLRzQWHuULPmjcwI5pfIsTI |
|
|
| c:\users\public\videos\desktop.ini | 0.64 KB |
MD5:
821cd40e7e288f4f4671acee647a594a
SHA1: 9bed5649ca17f476147abb9db2efb49c9fe76199 SHA256: 2e2fe2c48910c0cb3a1fa39f2f19121eb1e57854a26b7b7cbc69d7e76b4e7443 SSDeep: 12:kL3WmhiJXMg7UN2GGublEhUVcMymRlTR4BJgXylKMEisFEtBksMos+bA:AkvANj1/Vcsv4UXuAFEtBk0hA |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Acrobat Reader DC.lnk.RYK | 2.67 KB |
MD5:
96ac452269e3149d9378f19306c5da70
SHA1: 9e456329b86f651f3066b8d78af3e90ec93f763f SHA256: 3999659c2e02ba80b248b3d7855588cc89f02c99a0cb1dd55e8f41ca5785e2dd SSDeep: 48:NTEI8sKk8jGbr7XzNAWz4+1ZTlLM8LhJRsULDDXMuSORIiXiHgAHUXCB7:N5bZ82r7SI4+HTrsmDD6ORIiggAiCB7 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107001.RYK | 0.41 KB |
MD5:
a32c4f605e06b2ba6530270ea88c089c
SHA1: 9f45ac422c80dec68f62515c9776c598730705b9 SHA256: 02f30f5fddfe9e9313a3d8dd5da8dc1a1552423d90ab092ee1292182b1b083b5 SSDeep: 12:YYA22E5Hodw1BE3SpR6aGnDEOY6mDnmEeBiun:7Hom1BnMrnVYdD5sHn |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\2\61\EFAE1E6619D4EE51.dat.RYK | 0.50 KB |
MD5:
157862bb7e1d5b9cd8efca58856e186f
SHA1: 8a93c224d4c6e2626a25e00104ac7953c670fa11 SHA256: 0bdcb4134e8ee62838c1059546aed06fbdc5d9fb32d817e3dda3dfadd67d5298 SSDeep: 6:kK28+tIf6UUC1mS/DZ/r+9GUBGf4OCodPri8zxyYCeoG10LeZ+Sv7Ek7pSG1yOPC:dVfhvLwDs2Yu8vyqISvT7pkHmCB |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel 2016.lnk.RYK | 2.64 KB |
MD5:
2d64d5ad4759a878ba354856e30da103
SHA1: 00f03f9a96924674489d340f24f22f992c9177d7 SHA256: b7ee456da3174568416a84c213c95c311577402bdbfcd24d746326726192a4a9 SSDeep: 48:j82iIF4oizUV2Wo8kENzTzkMWfIHX+elDl6Pc5awV0Wk+Dp0d2vJC2J1HJKO:g2iI4gIGXkMSUuegc0w+WkUagv71oO |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-40.png.RYK | 0.71 KB |
MD5:
013ec49240712b27cb309fb92b4d893c
SHA1: 2ab417231a3e523049e65c7f0b17bf96a5ca779a SHA256: bb383f181369f0aa71c953b42b95575b4751f9d7ab0bff27bd660d1c76e63f84 SSDeep: 12:RIEP63vDH4/EipkPiLYT+yW46mJXlxhIKasvWuMmaWDlfz759hwfnX:RIU6/DMpiKLW3lxhIhquW5fz7Nwf |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.003.etl.RYK | 16.28 KB |
MD5:
a7b578b6e9ff020c44bc1e3ac7e73f69
SHA1: 4c54461bd0acc4dfa909bdf45396d3a62c8de9c3 SHA256: 87ca718cca80cc1c9f146832e2d7e2a8e9c2ec85c8a258751ceaf69543e96d21 SSDeep: 384:lovOIYAYDKsQZqfWcbh3vwZcbTojrYAzQH0FbFpkg6:lRPemHbh/hog/HKJpa |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\10\267.RYK | 0.41 KB |
MD5:
ed6e7a8c1f214b444350fe311e303056
SHA1: 9035b0391109155fe2befcfb28a1cce2762856d1 SHA256: 574a550f6d0e96d29b8a4b760c992dcd842c0c3c319ba1cb85cb955d32a20b99 SSDeep: 12:10UxQxsjV8PHInL3yV6O1lu14juJmelCnaqKTi:9xDV8PHCL1wu14KJmBnaqv |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.012.etl.RYK | 16.28 KB |
MD5:
75db94c98abf5c01ee2db483533dc723
SHA1: f1c907eb037b9fe7d7027bfeaa852f9c30177e3c SHA256: 7165fb9ab3bb3d5cb170bf4066eafab520594c566575a75bb3cdd4cbdd2f0701 SSDeep: 384:cb3MpYDYFyraNwmaO8U5fiZe7ytje0GTIiiyxOSBBDzhtqgE:Y3YYDYQammdP5fv7ui04Iii5SnhtqgE |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\About Java.lnk.RYK | 2.33 KB |
MD5:
a8866c1e9f079b0c18e421f870e78a56
SHA1: 839a7a491ded8577c86366a780a5a9b1db913898 SHA256: 4a716c0a806262368b6598a19e18fd091643550cb6175d192f8a47a9dbd69837 SSDeep: 48:b37uC6QSgt/CYeCsyCw6FtyMdeC28LoOekHrasZ4:b6Y9Cgs3zt28sQav |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.017.etl.RYK | 16.28 KB |
MD5:
545ad0e727678b99083a3a23dfd66b88
SHA1: 77af948019a3d43e3a66a4abde1eaa85a6fb61a5 SHA256: 1c3dd2d0679a7e4796abdf6b1687db98466edc176cac0365b3368447f0996eec SSDeep: 192:m/U6vAIZ7DBS4omRtsh2hlc69sDM2aSihJhAJPwTB3REavTQdi1BYW1Pb8Uwoe5G:mGg7FootC2D9ExKTB3RE/du1PwoeYor2 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher 2016.lnk.RYK | 2.63 KB |
MD5:
7af12f267a002fd144f4728ee76a1c06
SHA1: 698b234b1e4b0b100907f7e499f7ed50163a3b04 SHA256: 9f6ef7eb4590b4882b3e6ba3428803cfc5ff768826d9529144848c0822cb2a60 SSDeep: 48:xyGC/jLvS+a+l0V5bBxv9By2lVn1PtOk8VGDN7q9LgGxQ4:E7/lUpb1zlVn1qVelq9cEJ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\10\197.RYK | 0.41 KB |
MD5:
264d0cc0ac710ece25bfae98da0eb007
SHA1: e24b979712dc8b1109a6fc23c9fcab5742b975c4 SHA256: ace1fc57a8c209391f0666e30ead069fb4452107d5b4f40a2b7c4856c9ad50e1 SSDeep: 12:8VUAOQoN2moZC9vqXIBCc7J1Yq2zKujLGO4:8b7oEmo8dqXII2JT2VM |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\196.RYK | 0.41 KB |
MD5:
f58d092e817c35e078025279aaa94772
SHA1: d13776d611e5cd7efaff1edae4bf2c62ef1719bf SHA256: baa4ae3ee32a662cea7359b4aae166d03a79a0edb74c18151daf07cb900d590c SSDeep: 12:5Fq109dG5LvePYs9h5xJpEE1+pjWYcN75IUG6va:5l/G5LvyL5xn7F93I36va |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.png.RYK | 5.55 KB |
MD5:
0b2513290c51cacf66a1ef87abe61682
SHA1: 5cfaebdadf206074d0194567c48dc2f48cad8de9 SHA256: 90d17f4319648657277f66b18d995eaabae8e2608f01becd5cd2308dd85c56e8 SSDeep: 96:h1HFpwd6Uz24ub8PNWOM9G5XfS1LtGKSzKQNp1AJ4+9THmwQThh0IegBjaKCO40/:TlppUzIO8wXq1LyTrAJ4+5HrGh1eSv4G |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Configure Java.lnk.RYK | 2.30 KB |
MD5:
18fa73d1ce6801cabe6fce2b1e2bff2c
SHA1: 48e5900f38544e2aad6e328f0a411f7d4b85d165 SHA256: 5b1ac7fd540a55e0c7a3fd1a28afd7bb20ddc75e9793827f5c894d65bfe56152 SSDeep: 48:C6WPw8XM08Fa9pW667RZxraBAi7gjP4YTuwFbx:4Pw8Xoau667NW/5YTn |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Default Programs.lnk.RYK | 1.50 KB |
MD5:
32f08cad2cd6646c3cd13a0c1791fdea
SHA1: 6568e4df4dc15f2afbc576fca032d1d8a72a9462 SHA256: db8ebd6e0218e872c81200ac66f6b540111fba6c299a671e80757c8364759ce3 SSDeep: 24:S7aeOw5ti/KjpWy1cf7pTXTUrcT7cdzvIWWJM4H8zxyTAw0/gXE/Weg0qn:Ya+SAWy1W7db+QK4H81DmsW35n |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\262.RYK | 0.41 KB |
MD5:
eff645d45723280abcec772b442ed8cb
SHA1: db4f0981ed2dac962ae04c740bdcb81e4684a87b SHA256: dcdafa7a80d8d5982a52f4f14047a30220780e6b994add6111bfe3b42f2c68c0 SSDeep: 12:zk3eqz67zzqDMiLa2lwAXoE3eLHaS6GlCOQ2V:pSMiuAolHaJyCD2V |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Wordpad.lnk.RYK | 1.41 KB |
MD5:
55691526b686b724f7f7dcccf8421bfe
SHA1: 8ad77345fa78db2b9b4df72f9463e4f054139a99 SHA256: d4a84798c6625183a685ee62855eb74497bdcb2b397d443c95b2eafd1a3375ca SSDeep: 24:Uw+TCAdisfHjXXlQUNa0trzLF9P/7Ar+fbU7ZaCw/Nmv6D5DZbsN:ULCwMkVzLF9PzAd81/NiUZa |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Devices Flow.lnk.RYK | 2.42 KB |
MD5:
a13feac354024f0e94a6f711508b63f6
SHA1: 29533f4e981c76648e08299254d905a537533f60 SHA256: 780872fb846f2d6399949c2bab754baeda4c3fb50f21d4ba7cea0bae6693dc19 SSDeep: 48:aD8jhTy1gJ4ofZCfmQiou/2mK5Uv/mt2D1xC70MC7//0nYzXu4xTS+9bKl2Qf0p6:aDTuJ4fmQio2BKeLP20Fr0su4xT1ZKln |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Visio 2016.lnk.RYK | 2.67 KB |
MD5:
c73950fdf295a7937e79bee7127dace6
SHA1: a325347e52f59d3dc98f39c48e70eaf02ddf115a SHA256: 251cf486153abdb9dded12948452b4b0a80a22faa701d4705afe87c67bb1252c SSDeep: 48:mIqgH+UI3JqGJECTJHbfrgi9BkZDd6MjtsRDiVRhE3Nwz2/XCq03:mVgHX6qGJECTJrpP46M28byfCD |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol.RYK | 0.71 KB |
MD5:
375c3c6ba31710ac6931a951c55f5fd5
SHA1: 688111ff8a3a7c6d39f74c0b068676a8dadb9868 SHA256: fac4fd7634d3efd9f48991c1c70a0fe2f04fc003ef0e0273c9ef142c36b48ed5 SSDeep: 12:pnouNkES8sO+4skwN5KMAuKCslJUuA4Zs+HwaOlXGy/LTWAuaphpeYfFxlYQFvRz:pouXShsb2KCsvUuA4SvjlXGMLTzu2/e0 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini.RYK | 2.81 KB |
MD5:
51a5c90fdc58720246d4a865ee64eb9c
SHA1: 4c3c9eeed981a691b08c1d3d2944d3dea03f6e97 SHA256: 1db65c28174caf8c748d4c5d4df46424db5f58dd44933730e26b0c15db1e88ed SSDeep: 48:Wb4dXA0SDpIk0ztUBYryBEA/JZtMHQ4pVJ2IT6j1GuagEc2tJpJ47YJ0HWX:WYEDukZBSyhKQTXgvgEj3pRCM |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PrintDialog.lnk.RYK | 2.42 KB |
MD5:
433231afc8cf82721fd4321ddf3fe197
SHA1: e90b68b6d1b93a23f8f32040c295617920811f6b SHA256: 33385a0b7c65eecbe8022434123cb3cd9243f14d460ab5be3b5d8c44f117d6fb SSDeep: 48:DB+r6frm9b0aYI80gK0c2w8cATuIrNfvkZorXWIrJu:DBJuYighfcAxrBuot9u |
|
|
| c:\programdata\microsoft\windows defender\scans\mpdiag.bin | 0.39 KB |
MD5:
45f31cd61e0779789743c767799df265
SHA1: 6389a9c6bf0295314f0822a4589f5cd7482013e9 SHA256: caf512d3928de496d35e73d5713fda48bf49793fd035931ec8ab4e0aa5a0dae4 SSDeep: 12:eU4lH0ZH/c4XmqvnqPRgFaKzo1QxRZFwjaqVrg6t4wlz:ef10Zfc4JYGFaQogwmD6Zlz |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Project 2016.lnk.RYK | 2.69 KB |
MD5:
a6f60454017e7f777082b841b269b842
SHA1: 9526d7cc95494c0ba5e60c851d2268b7208bff61 SHA256: 6a9344131c8f2ca933fdd6d48ec127277920fd1ab846ef778d97718eb4c4fbfb SSDeep: 48:VZi7b5tRGTnNdcq6/JADiY1A60/VZqv28yIQvrpDqhBvpz9pKi1DVlBz:VZi7b5tcrsqUy/1A68qv6jOhHDVTz |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini.RYK | 1.72 KB |
MD5:
83e25b2471bf0eb30b587feb56504f5c
SHA1: 362ac9dc5979a0421013313b97d0e6ca217b31f4 SHA256: 6b5aaf33d8a201f1ce4c24a2484a2c90f01482b8d16d71e3e1630b39622f8f4e SSDeep: 48:Ek75iLIO1/EjmaasXwuWm9nI+6ZXVwz3u:EO5iLIO18afsA89nINCz+ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Sticky Notes.lnk.RYK | 1.44 KB |
MD5:
403295de8258c217d6229ab89b2a97ea
SHA1: 6981a773899bc957100a196c73a96a6f4159e206 SHA256: 605e7af2b6879b253b945514e2e3e83f9186be4c800a6f8d90c8376fd1c3a8b8 SSDeep: 24:kLfLtLCaH3nTEl4EDJa81zURwjqbzJJnW80a8D5yhupNQ4Buwn97XDHdj:oJXTA1zU2qbzg/euUDcDHdj |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini.RYK | 0.64 KB |
MD5:
35acb5e4e02be939435e344d79466dc1
SHA1: 0160bf3722ac4734ad1b1615642e66e1610559d5 SHA256: a560c788768574a36c1aab51c3decb06a0fa71097b894d092961a48cfb627830 SSDeep: 12:ADCx8kSBA79OAled3yfAQUcG3iMBrTNY2xJ6sCBVOf1btdLxSpGL3:Amx8kPOAEdCfArj3Eg1nLB7 |
|
|
| c:\programdata\adobe\arm\reader_17.012.20098\acrordrdcupd1800920044_incr.msp | 10.00 MB |
MD5:
984daf0ca66f1470f35cd695afe21b0c
SHA1: 9481c55627a0876de96383747762bcfad5cbd71e SHA256: 6a2768c2146e97e744e3cd9473a8e53e8bdcdab43a37b65d77fab8df7aeb48e4 SSDeep: 196608:yu+S5/KMnN+wNR5bnZzwitGRFJvk2YxWCqoM4ffR/uRVr8E7ejFul:Y2dN+wL5L6tvfTCqSIGS |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp.RYK | 10.00 MB |
MD5:
1d41dfc58c286f2456a65223cc6f75f9
SHA1: 7888c0ce60a45afd96cac680b4418e5a029cdbf5 SHA256: ad7c0c82ce5331d8e83c787c85d664c2d4791e0dcb1735d3eed20caf57598537 SSDeep: 196608:yu+S5/KMnN1GuZV8dP02YxWCqoM4ffR/uRVr8E7ejFul:Y2dN1GuZV8dNTCqSIGS |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Project.lnk.RYK | 2.39 KB |
MD5:
d3a9870600882d98c61214762eb70d59
SHA1: 37f80201b332ab1d4837a121e2888fd651b57de7 SHA256: d0489017637957e324d53efabb8c2d7775fcd79ab96f9e82456716d02fe7c4e0 SSDeep: 48:Fy7llX/LbgYh0c2HWipJidFktH3DkLiExywYrvXYuHcQDy+sRD:FGl9gYzkyDktH3WWVvX7Hct+w |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateUx.001.etl.RYK | 4.28 KB |
MD5:
742b29f4345587f33d785b9c9fa838ca
SHA1: e842d41b6324d4a51f35ddf22729eb70c28fe102 SHA256: 6ead290f91af7841b3fa1caf9c46321d3ed7dd0a805f7d5a0c267c8ecd0cd4ad SSDeep: 96:v9s6NpYGR9kW2xtvo/dSY8MDC/6Hozw4t1qCWI0SX0tT+9gx3Vqq:15Np+W2fvo/eMDC/+osU6A0zLqq |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\288.RYK | 0.41 KB |
MD5:
aa04788b099fcf05a4e9afb7a08c3ed5
SHA1: 61abaacf2e3d8c058fc56d7e6ca1d91dcc3d0e6e SHA256: 4dccb8379eb7f90cde2c5e3a4ad2b1e5d5e276506ff9acb5db9f1a49d323810a SSDeep: 12:iYfPNLF7qLoG6YeNtQZBmOzjaWv8rLpLt8jqW8:fTeoG5eNtoBm2jaWkrNu2 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.006.etl.RYK | 16.28 KB |
MD5:
1b8fce3f78eeb9dfb4f15c26c25015f3
SHA1: 0add439c04ae21f55a8a96419a10c433bddf5b98 SHA256: 8fb6cd777864724f9df317a8affff7d682706321efaef0f84b53e4e438ac5dfe SSDeep: 384:JVGRj12h8rol5Btm9uWT3UeIBb/oBhEA6kkt7rh3beuj7jRb4:MxQUol7I5g/4hHKXEuj7h4 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\02\303.RYK | 0.44 KB |
MD5:
47af1b225386fadfe228b79f409bf195
SHA1: 573a0c43fd272b0549d1ede78d4b1b87f71c8598 SHA256: f6be33ec761235ba72a61ada591fc3f1e57723b4a419f7f0672b8c59e2d69e67 SSDeep: 12:EIlPpD0D7wjQ3CBwqa3dvKdpYguy4yeRW:EIco031Kdn4NRW |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\09\238.RYK | 0.41 KB |
MD5:
873fcb6da351b47ada36cb375d267ffd
SHA1: 26a058cbc3d23ecf48d1c2404553d18a70683cc3 SHA256: 5b651c9e58c9d3177cb98119d7fe72115d1a85c9280fb1b7b53c716d56317a70 SSDeep: 12:bicDsX4KFcpA1ykEDcmNfAPTIMn+OYqPQgzzQ:VwIKFcpWNEDcmNfAkXbqP1I |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini.RYK | 1.27 KB |
MD5:
96379384843c0e2bac5422d0b8cbdb3b
SHA1: b96dde26e58fca0add8e4a8d42725e6733abe963 SHA256: 61cdfd5104fcbf452f809061b48fda8d1d20c23ebb98c28baf4a6b6473f215cf SSDeep: 24:Mnk6i4tKouo9d1tNjepbYsboW5OAM73OWyCD:Mq8KousbtNs0yxu73OQD |
|
|
Host Behavior
File (7806)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\BCD.LOG2 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\BCD.LOG1 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\BCD.LOG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\BCD | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\bg-BG\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\cs-CZ\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
35 | |
| Create | C:\Boot\BOOTSTAT.DAT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\da-DK\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Boot\de-DE\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\el-GR\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\en-GB\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\en-US\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\es-ES\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\es-MX\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\et-EE\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\fi-FI\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\wgl4_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\fr-CA\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\fr-FR\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\hr-HR\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\hu-HU\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\it-IT\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\ja-JP\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\ko-KR\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\lt-LT\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\lv-LV\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\nb-NO\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\nl-NL\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\pl-PL\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\segoe_slboot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\segmono_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\msyh_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\chs_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\pt-BR\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\pt-PT\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\cht_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\segoen_slboot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\msyhn_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\qps-ploc\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Resources\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Resources\en-US\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Resources\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\msjh_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\msjhn_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\meiryo_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\meiryon_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\jpn_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\ro-RO\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\ru-RU\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\kor_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\malgun_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\sk-SK\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\malgunn_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\sl-SI\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\sr-Latn-CS\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\sr-Latn-RS\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\sv-SE\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\tr-TR\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\uk-UA\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\zh-CN\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\zh-HK\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\zh-TW\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Config.Msi\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\bootmgr | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\BOOTNXT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\BOOTSECT.BAK | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
15 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
7 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\Acrobat Reader DC.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
27 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DataMart\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DeviceSync\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\Server\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MapData\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WDF\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Live\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WinMSIPC\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WwanSvc\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
5 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\.oracle_jre_usage\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\installcache_x64\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Active.GRL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Pending.GRL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\javapath\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\javapath_target_5923062\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
19 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{3c3aafc8-d898-43ec-998f-965ffdae065a}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{e52a6842-b0ac-476e-b48f-378a97a67346}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\SoftwareDistribution\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\UpdateStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.001.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.002.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.003.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.004.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.005.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.006.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.007.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.008.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.009.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.010.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.011.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.012.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.013.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.014.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.015.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.016.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.017.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.018.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.019.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.020.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.021.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateUx.001.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
11 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\Acrobat Reader DC.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\8C296B8E-6699-457C-9415-3D0647E1D775\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\9D76938C-943D-439F-A135-26D02821EE05\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\Catalog\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\Integration\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\ProductReleases\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\UserData\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
10 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.0.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.1.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.2.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
5 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\MachineKeys\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\Keys\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\PCPKSP\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\PCPKSP\WindowsAIK\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_427a1946-e0ff-4097-8c9e-ca2c1e22780b | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\S-1-5-18\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\SystemKeys\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DataMart\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DataMart\PaidWiFi\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DataMart\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\S-1-5-18\4eccd106f69e31c1b12304e5463bb71d_427a1946-e0ff-4097-8c9e-ca2c1e22780b | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\SystemKeys\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DeviceSync\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\AsimovUploader\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedScenarios\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\AutoLogger\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\LocalTraceStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\parse.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events11.rbs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events10.rbs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events01.rbs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events00.rbs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Sideload\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Siufloc\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\SoftLanding\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\SoftLandingStage\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\Server\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\Views\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\Views\ApplicationViewsRootNode\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\INT\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\temp\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MapData\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Pending.GRL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Active.GRL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\BreadcrumbStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
8 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Connections\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\qmgr0.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\qmgr1.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\ClickToRunPackageLocker | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
14 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\countrytable.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\Administrator.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\CIiHmnxMn6Ps.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-192.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-32.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WDF\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-40.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-48.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
18 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
5 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\GenuineTicket\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Import\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Install\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataCache\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceSoftwareUpdates\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DRM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DRM\Cache\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DRM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\GameExplorer\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\LfSvc\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\LfSvc\Geofence\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Parental Controls\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Power Efficiency Diagnostics\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\SleepStudy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\Manifest\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\Sessions\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\Upload\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Templates\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\ReportArchive\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\ReportQueue\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\Temp\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
9 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Clean Store\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Features\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\LocalCopy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Network Inspection System\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Quarantine\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\CleanFileTelemetry\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\CleanStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\RtSigs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Support\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.67 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.7E | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.80 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.87 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.A0 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.CB | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.CC | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.VE0 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.VE1 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.VF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MpDiag.bin | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Live\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Live\WLive48x48.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
7 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\Inbox\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\Queue\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\SentItems\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WinMSIPC\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WinMSIPC\Server\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WinMSIPC\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WwanSvc\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WwanSvc\DMProfiles\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WwanSvc\Profiles\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WwanSvc\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\setup\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\setup\refcount.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\.oracle_jre_usage\17dfc292991c7c24.timestamp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\.oracle_jre_usage\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\installcache_x64\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\javapath\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\installcache_x64\baseimagefam8 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\javapath_target_5923062\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
18 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{3c3aafc8-d898-43ec-998f-965ffdae065a}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{e52a6842-b0ac-476e-b48f-378a97a67346}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\SoftwareDistribution\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access 2016.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Math Input Panel.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Paint.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Snipping Tool.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Steps Recorder.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Sticky Notes.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Fax and Scan.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Media Player.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Wordpad.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\XPS Viewer.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Acrobat Reader DC.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Immersive Control Panel.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\About Java.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Check For Updates.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Configure Java.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Visit Java.com.url | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneDrive for Business.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint 2016.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher 2016.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business 2016.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Search.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Project.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Desktop.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Project 2016.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PrintDialog.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Tablet PC\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Devices Flow.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Default Programs.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Task Manager.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\UpdateStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.001.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.002.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.003.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.004.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.005.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.006.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.007.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.008.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.009.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.010.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.011.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.012.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.013.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.014.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.015.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.016.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.017.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.018.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.019.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.020.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.021.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateUx.001.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Visio.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook 2016.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Visio 2016.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneNote 2016.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word 2016.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\MiracastView.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel 2016.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\Acrobat Reader DC.lnk.RYK | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini.RYK | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini.RYK | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini.RYK | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini.RYK | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
15 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\8C296B8E-6699-457C-9415-3D0647E1D775\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\9D76938C-943D-439F-A135-26D02821EE05\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\Catalog\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\Catalog\Packages\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\Integration\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\Integration\ShortcutBackups\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.0.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.1.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.2.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\ProductReleases\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\ProductReleases\46750A92-D768-415D-ABAC-A9B18903B159\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\ProductReleases\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\UserData\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
5 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\MachineKeys\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\Keys\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\PCPKSP\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\PCPKSP\WindowsAIK\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\PCPKSP\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_427a1946-e0ff-4097-8c9e-ca2c1e22780b | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\S-1-5-18\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\SystemKeys\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\S-1-5-18\4eccd106f69e31c1b12304e5463bb71d_427a1946-e0ff-4097-8c9e-ca2c1e22780b | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\SystemKeys\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DataMart\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DataMart\PaidWiFi\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DataMart\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DeviceSync\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\AsimovUploader\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedScenarios\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedScenarios\Windows.Uif.static | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\cfc.flights.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.bk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\utc.app.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\AutoLogger\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\LocalTraceStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Sideload\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events00.rbs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events01.rbs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events10.rbs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events11.rbs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\parse.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Siufloc\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\SoftLanding\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\SoftLandingStage\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\Server\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\Views\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\Views\ApplicationViewsRootNode\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\Views\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\INT\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\temp\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MapData\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Active.GRL.RYK | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Pending.GRL.RYK | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\BreadcrumbStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Connections\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\qmgr1.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\qmgr0.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
5 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
8 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\ClickToRunPackageLocker | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\countrytable.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\Administrator.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\CIiHmnxMn6Ps.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WDF\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
15 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
78 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.AAD.BrokerPlugin_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.AccountsControl_10.0.10240.16384_neutral__cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BioEnrollment_10.0.10240.16384_neutral__cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.LockApp_10.0.10240.16384_neutral__cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftEdge_20.10240.16384.0_neutral__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.AssignedAccessLockApp_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.CloudExperienceHost_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ContentDeliveryManager_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Cortana_1.4.8.152_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ParentalControls_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-192.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedback_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\windows.devicesflow_6.2.0.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-48.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-40.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-32.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\Apps\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\GenuineTicket\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Import\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Install\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Install\Apps\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Install\Migration\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Install\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataCache\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataCache\dmrccache\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataCache\dmrccache\downloads\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataCache\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataStore\en-US\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceSoftwareUpdates\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DRM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DRM\Cache\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DRM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\GameExplorer\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\LfSvc\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\LfSvc\Geofence\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\LfSvc\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Parental Controls\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Parental Controls\settings\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Parental Controls\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Power Efficiency Diagnostics\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\SleepStudy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\Manifest\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\Sessions\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\Upload\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
9 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessibility\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Administrative Tools\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Java\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Maintenance\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\StartUp\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\System Tools\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Tablet PC\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | size = 176 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini | size = 288 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini | size = 384 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini | size = 384 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini | size = 384 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini | size = 176 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini | size = 1314 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini | size = 1024 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini | size = 384 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini | size = 1136 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini | size = 6 |
|
3 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini | size = 268 |
|
3 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini | size = 1168 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini | size = 192 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini | size = 2464 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini | size = 6 |
|
2 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini | size = 268 |
|
2 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini | size = 1488 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini | size = 2608 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini | size = 176 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini | size = 1314 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini | size = 176 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini | size = 1314 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini | size = 464 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini | size = 96 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini.RYK | size = 1120 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini.RYK | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini.RYK | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini.RYK | size = 1314 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\MasterDatastore.xml | size = 272 |
|
1 | |
|
For performance reasons, the remaining 4004 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Process (125)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | net | show_window = SW_HIDE |
|
1 | |
| Create | net | show_window = SW_HIDE |
|
1 | |
| Create | net | show_window = SW_HIDE |
|
37 | |
| Open | System | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\smss.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\wininit.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\winlogon.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\services.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\lsass.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows media player\commands xerox.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows nt\richard.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows media player\serial-video-reviewing.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows media player\wisdom_shame.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows nt\strategicfantasysnap.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\mozilla firefox\recommendationjack.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows journal\vb les lodging.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows media player\acrobat-isp.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows photo viewer\radar-underground-fascinating.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\nc-statements-inventory.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\reference assemblies\literacy.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\mozilla firefox\them infected.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windowspowershell\ausads.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\internet explorer\darwin_regulatory_chevy.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows multimedia platform\surnamepotter.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\mozilla firefox\transferred.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows portable devices\violence_gaps_cos.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\uninstall information\printable.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows media player\reef-punishment.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows portable devices\oo blake.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows portable devices\bugs-doe.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\uninstall information\pillsleavesmaintains.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\audiodg.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows media player\commands xerox.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows nt\richard.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows media player\serial-video-reviewing.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows media player\wisdom_shame.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows nt\strategicfantasysnap.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\mozilla firefox\recommendationjack.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows journal\vb les lodging.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows media player\acrobat-isp.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows photo viewer\radar-underground-fascinating.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows sidebar\nc-statements-inventory.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\reference assemblies\literacy.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\mozilla firefox\them infected.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windowspowershell\ausads.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\internet explorer\darwin_regulatory_chevy.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows multimedia platform\surnamepotter.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\mozilla firefox\transferred.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows portable devices\violence_gaps_cos.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\uninstall information\printable.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows media player\reef-punishment.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows portable devices\oo blake.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows portable devices\bugs-doe.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\uninstall information\pillsleavesmaintains.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\dllhost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 |
Thread (7)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | c:\windows\system32\sihost.exe | proc_address = 0x7ff6ad002870, proc_parameter = 140697441140736, flags = THREAD_RUNS_IMMEDIATELY |
|
1 | |
| Create | c:\windows\system32\taskhostw.exe | proc_address = 0x7ff6ad002870, proc_parameter = 140697441140736, flags = THREAD_RUNS_IMMEDIATELY |
|
1 | |
| Create | c:\windows\system32\runtimebroker.exe | proc_address = 0x7ff6ad002870, proc_parameter = 140697441140736, flags = THREAD_RUNS_IMMEDIATELY |
|
1 | |
| Create | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | proc_address = 0x7ff6ad002870, proc_parameter = 140697441140736, flags = THREAD_RUNS_IMMEDIATELY |
|
1 | |
| Create | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | proc_address = 0x7ff6ad002870, proc_parameter = 140697441140736, flags = THREAD_RUNS_IMMEDIATELY |
|
1 | |
| Create | c:\windows\system32\backgroundtaskhost.exe | proc_address = 0x7ff6ad002870, proc_parameter = 140697441140736, flags = THREAD_RUNS_IMMEDIATELY |
|
1 | |
| Create | c:\windows\system32\svchost.exe | proc_address = 0x7ff6ad002870, proc_parameter = 140697441140736, flags = THREAD_RUNS_IMMEDIATELY |
|
1 |
Memory (36)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | c:\windows\system32\sihost.exe | address = 0x7ff6ad000000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\windows\system32\taskhostw.exe | address = 0x7ff6ad000000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\windows\system32\runtimebroker.exe | address = 0x7ff6ad000000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | address = 0x7ff6ad000000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | address = 0x7ff6ad000000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\windows\system32\backgroundtaskhost.exe | address = 0x7ff6ad000000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files\windows media player\commands xerox.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files (x86)\windows nt\richard.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files (x86)\windows media player\serial-video-reviewing.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files (x86)\windows media player\wisdom_shame.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files (x86)\windows nt\strategicfantasysnap.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files (x86)\mozilla firefox\recommendationjack.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files\windows journal\vb les lodging.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files\windows media player\acrobat-isp.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files\windows photo viewer\radar-underground-fascinating.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files (x86)\windows sidebar\nc-statements-inventory.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files\reference assemblies\literacy.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files (x86)\mozilla firefox\them infected.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files\windowspowershell\ausads.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files (x86)\internet explorer\darwin_regulatory_chevy.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files (x86)\windows multimedia platform\surnamepotter.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files (x86)\mozilla firefox\transferred.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files (x86)\windows portable devices\violence_gaps_cos.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files\uninstall information\printable.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files (x86)\windows media player\reef-punishment.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files (x86)\windows portable devices\oo blake.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files (x86)\windows portable devices\bugs-doe.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\program files\uninstall information\pillsleavesmaintains.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Allocate | c:\windows\system32\svchost.exe | address = 0x7ff6ad000000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3760128 |
|
1 | |
| Write | c:\windows\system32\sihost.exe | address = 0x7ff6ad000000, size = 3760128 |
|
1 | |
| Write | c:\windows\system32\taskhostw.exe | address = 0x7ff6ad000000, size = 3760128 |
|
1 | |
| Write | c:\windows\system32\runtimebroker.exe | address = 0x7ff6ad000000, size = 3760128 |
|
1 | |
| Write | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | address = 0x7ff6ad000000, size = 3760128 |
|
1 | |
| Write | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | address = 0x7ff6ad000000, size = 3760128 |
|
1 | |
| Write | c:\windows\system32\backgroundtaskhost.exe | address = 0x7ff6ad000000, size = 3760128 |
|
1 | |
| Write | c:\windows\system32\svchost.exe | address = 0x7ff6ad000000, size = 3760128 |
|
1 |
Module (126)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | api-ms-win-core-synch-l1-2-0 | base_address = 0x7ffc55040000 |
|
2 | |
| Load | api-ms-win-core-fibers-l1-1-1 | base_address = 0x7ffc55040000 |
|
2 | |
| Load | advapi32 | base_address = 0x7ffc57aa0000 |
|
1 | |
| Load | api-ms-win-core-localization-l1-2-1 | base_address = 0x7ffc55040000 |
|
1 | |
| Load | kernel32.dll | base_address = 0x7ffc55800000 |
|
1 | |
| Load | mpr.dll | base_address = 0x7ffc53810000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x7ffc57aa0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7ffc57750000 |
|
1 | |
| Load | Shell32.dll | base_address = 0x7ffc559d0000 |
|
1 | |
| Load | Iphlpapi.dll | base_address = 0x7ffc51c50000 |
|
1 | |
| Get Handle | c:\users\ciihmnxmn6ps\desktop\fkgcs.exe | base_address = 0x7ff6ad000000 |
|
29 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\fkgcs.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\FKgcS.exe, size = 260 |
|
2 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\fkgcs.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\FKgcS.exe, size = 100 |
|
1 | |
| Get Address | c:\windows\system32\kernelbase.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffc55093900 |
|
2 | |
| Get Address | c:\windows\system32\kernelbase.dll | function = FlsAlloc, address_out = 0x7ffc550a4580 |
|
2 | |
| Get Address | c:\windows\system32\kernelbase.dll | function = FlsSetValue, address_out = 0x7ffc55092900 |
|
2 | |
| Get Address | c:\windows\system32\advapi32.dll | function = EventRegister, address_out = 0x7ffc57b88ff0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = EventSetInformation, address_out = 0x7ffc57b5e180 |
|
1 | |
| Get Address | c:\windows\system32\kernelbase.dll | function = FlsGetValue, address_out = 0x7ffc55088e40 |
|
1 | |
| Get Address | c:\windows\system32\kernelbase.dll | function = LCMapStringEx, address_out = 0x7ffc5505a930 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7ffc55822080 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7ffc55816060 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualFree, address_out = 0x7ffc5581bc10 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptExportKey, address_out = 0x7ffc57ab7b50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileW, address_out = 0x7ffc558257a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDriveTypeW, address_out = 0x7ffc558258f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCommandLineW, address_out = 0x7ffc55820150 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetStartupInfoW, address_out = 0x7ffc5581ed80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileW, address_out = 0x7ffc55825880 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualAlloc, address_out = 0x7ffc5581baf0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7ffc57acec40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ExitProcess, address_out = 0x7ffc5581ef50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffc558436a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x7ffc5581d5b0 |
|
1 | |
| Get Address | c:\windows\system32\iphlpapi.dll | function = GetIpNetTable, address_out = 0x7ffc51c6f0b0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x7ffc5581aa30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffc55843690 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDefaultLangID, address_out = 0x7ffc55822ba0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameW, address_out = 0x7ffc57abda40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x7ffc55825a90 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegQueryValueExA, address_out = 0x7ffc57ab7dd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7ffc55825510 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegSetValueExW, address_out = 0x7ffc57ab7850 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7ffc57ab72e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7ffc5583e430 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesW, address_out = 0x7ffc55825b00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WinExec, address_out = 0x7ffc55841e60 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDeriveKey, address_out = 0x7ffc57ad07a0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGenKey, address_out = 0x7ffc57abcab0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Sleep, address_out = 0x7ffc55818f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcess, address_out = 0x7ffc55816580 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteW, address_out = 0x7ffc55b1abc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x7ffc55825950 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GlobalAlloc, address_out = 0x7ffc5581b810 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x7ffc558257c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForMultipleObjects, address_out = 0x7ffc558256e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameA, address_out = 0x7ffc55820c70 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteA, address_out = 0x7ffc55bd7de0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x7ffc5581e6d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameW, address_out = 0x7ffc5581eca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7ffc55825760 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSizeEx, address_out = 0x7ffc55825960 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x7ffc55825b80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalDrives, address_out = 0x7ffc558166d0 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetEnumResourceW, address_out = 0x7ffc538127d0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7ffc57ab6cb0 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetCloseEnum, address_out = 0x7ffc53812e20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x7ffc55822940 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x7ffc55825af0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExA, address_out = 0x7ffc57ab7d70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7ffc55825b20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount, address_out = 0x7ffc558160a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesW, address_out = 0x7ffc55825930 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileW, address_out = 0x7ffc55825840 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextW, address_out = 0x7ffc57ab89e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MoveFileExW, address_out = 0x7ffc55823010 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetOpenEnumW, address_out = 0x7ffc53812f20 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoInitialize, address_out = 0x7ffc57763870 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDecrypt, address_out = 0x7ffc57ab9140 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptImportKey, address_out = 0x7ffc57ab7b40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointerEx, address_out = 0x7ffc55825b30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileW, address_out = 0x7ffc55825d70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibrary, address_out = 0x7ffc5581eb90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessW, address_out = 0x7ffc5581dee0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryW, address_out = 0x7ffc55825740 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThread, address_out = 0x7ffc5581bc20 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDestroyKey, address_out = 0x7ffc57ab86b0 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x7ffc57257000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileW, address_out = 0x7ffc55825770 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesA, address_out = 0x7ffc55825900 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptEncrypt, address_out = 0x7ffc57abd7e0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueW, address_out = 0x7ffc57ab90b0 |
|
1 |
Service (111)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
User (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Lookup Privilege | privilege = SeBackupPrivilege, luid = 17 |
|
1 |
System (113)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
2 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
30 | |
| Sleep | duration = 150 milliseconds (0.150 seconds) |
|
39 | |
| Sleep | duration = 50000 milliseconds (50.000 seconds) |
|
37 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
2 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #2: sihost.exe
86
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\sihost.exe |
| Command Line | sihost.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:05, Reason: Injection |
| Unmonitor | End Time: 00:01:27, Reason: Crashed |
| Monitor Duration | 00:00:22 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x704 |
| Parent PID | 0x324 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
CE0
0x
CC4
0x
4D0
0x
968
0x
950
0x
490
0x
46C
0x
7CC
0x
7C8
0x
7BC
0x
7B0
0x
7AC
0x
774
0x
770
0x
76C
0x
708
0x
DF8
0x
E3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000001e5f0d0000 | 0x1e5f0d0000 | 0x1e5f0dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000001e5f0e0000 | 0x1e5f0e0000 | 0x1e5f0e6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001e5f0f0000 | 0x1e5f0f0000 | 0x1e5f103fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001e5f110000 | 0x1e5f110000 | 0x1e5f18ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001e5f190000 | 0x1e5f190000 | 0x1e5f193fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001e5f1a0000 | 0x1e5f1a0000 | 0x1e5f1a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x1e5f1b0000 | 0x1e5f26dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001e5f270000 | 0x1e5f270000 | 0x1e5f2effff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e5f2f0000 | 0x1e5f2f0000 | 0x1e5f2f6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e5f300000 | 0x1e5f300000 | 0x1e5f300fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e5f310000 | 0x1e5f310000 | 0x1e5f310fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001e5f320000 | 0x1e5f320000 | 0x1e5f320fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001e5f330000 | 0x1e5f330000 | 0x1e5f330fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001e5f340000 | 0x1e5f340000 | 0x1e5f43ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e5f440000 | 0x1e5f440000 | 0x1e5f53ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e5f540000 | 0x1e5f540000 | 0x1e5f54ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001e5f550000 | 0x1e5f550000 | 0x1e5f6d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001e5f6e0000 | 0x1e5f6e0000 | 0x1e5f860fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001e5f870000 | 0x1e5f870000 | 0x1e60c6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x1e60c70000 | 0x1e60fa6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001e60fb0000 | 0x1e60fb0000 | 0x1e6102ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61030000 | 0x1e61030000 | 0x1e610affff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e610b0000 | 0x1e610b0000 | 0x1e6112ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61130000 | 0x1e61130000 | 0x1e611affff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e611b0000 | 0x1e611b0000 | 0x1e6122ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61230000 | 0x1e61230000 | 0x1e612affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001e612b0000 | 0x1e612b0000 | 0x1e612d9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000001e612f0000 | 0x1e612f0000 | 0x1e612fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61300000 | 0x1e61300000 | 0x1e613fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61400000 | 0x1e61400000 | 0x1e61bfffff | Private Memory | - |
|
|
|
- |
| private_0x0000001e61c00000 | 0x1e61c00000 | 0x1e61c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61c80000 | 0x1e61c80000 | 0x1e61cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61d00000 | 0x1e61d00000 | 0x1e61d7ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x1e61d80000 | 0x1e61e5efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001e61e60000 | 0x1e61e60000 | 0x1e61edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61ee0000 | 0x1e61ee0000 | 0x1e61f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61f60000 | 0x1e61f60000 | 0x1e61fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61fe0000 | 0x1e61fe0000 | 0x1e6205ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e62060000 | 0x1e62060000 | 0x1e620dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e620e0000 | 0x1e620e0000 | 0x1e621dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e621e0000 | 0x1e621e0000 | 0x1e6225ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e62260000 | 0x1e62260000 | 0x1e622dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff450000 | 0x7df5ff450000 | 0x7ff5ff44ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6ad000000 | 0x7ff6ad000000 | 0x7ff6ad395fff | Private Memory | rwx |
|
|
|
- |
| private_0x00007ff7050a8000 | 0x7ff7050a8000 | 0x7ff7050a9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050aa000 | 0x7ff7050aa000 | 0x7ff7050abfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050ac000 | 0x7ff7050ac000 | 0x7ff7050adfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050ae000 | 0x7ff7050ae000 | 0x7ff7050affff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050b0000 | 0x7ff7050b0000 | 0x7ff7050b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050b2000 | 0x7ff7050b2000 | 0x7ff7050b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050b4000 | 0x7ff7050b4000 | 0x7ff7050b5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050b6000 | 0x7ff7050b6000 | 0x7ff7050b7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050b8000 | 0x7ff7050b8000 | 0x7ff7050b9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050ba000 | 0x7ff7050ba000 | 0x7ff7050bbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050bc000 | 0x7ff7050bc000 | 0x7ff7050bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050be000 | 0x7ff7050be000 | 0x7ff7050bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7050c0000 | 0x7ff7050c0000 | 0x7ff7051bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7051c0000 | 0x7ff7051c0000 | 0x7ff7051e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7051e3000 | 0x7ff7051e3000 | 0x7ff7051e4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7051e5000 | 0x7ff7051e5000 | 0x7ff7051e5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7051e6000 | 0x7ff7051e6000 | 0x7ff7051e7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7051e8000 | 0x7ff7051e8000 | 0x7ff7051e9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7051ea000 | 0x7ff7051ea000 | 0x7ff7051ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7051ec000 | 0x7ff7051ec000 | 0x7ff7051edfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7051ee000 | 0x7ff7051ee000 | 0x7ff7051effff | Private Memory | rw |
|
|
|
- |
| sihost.exe | 0x7ff705a50000 | 0x7ff705a65fff | Memory Mapped File | rwx |
|
|
|
- |
| staterepository.core.dll | 0x7ffc46310000 | 0x7ffc463a8fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.staterepository.dll | 0x7ffc463b0000 | 0x7ffc46641fff | Memory Mapped File | rwx |
|
|
|
- |
| licensemanagerapi.dll | 0x7ffc488a0000 | 0x7ffc488abfff | Memory Mapped File | rwx |
|
|
|
- |
| twinui.appcore.dll | 0x7ffc48970000 | 0x7ffc48b7cfff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelproxy.dll | 0x7ffc48b80000 | 0x7ffc48b94fff | Memory Mapped File | rwx |
|
|
|
- |
| sharehost.dll | 0x7ffc48c80000 | 0x7ffc48d24fff | Memory Mapped File | rwx |
|
|
|
- |
| appcontracts.dll | 0x7ffc48d30000 | 0x7ffc48ddbfff | Memory Mapped File | rwx |
|
|
|
- |
| wpportinglibrary.dll | 0x7ffc48de0000 | 0x7ffc48de8fff | Memory Mapped File | rwx |
|
|
|
- |
| modernexecserver.dll | 0x7ffc48df0000 | 0x7ffc48ec7fff | Memory Mapped File | rwx |
|
|
|
- |
| dsclient.dll | 0x7ffc48ed0000 | 0x7ffc48edbfff | Memory Mapped File | rwx |
|
|
|
- |
| userdatatypehelperutil.dll | 0x7ffc48ee0000 | 0x7ffc48ef0fff | Memory Mapped File | rwx |
|
|
|
- |
| appointmentactivation.dll | 0x7ffc48f00000 | 0x7ffc48f21fff | Memory Mapped File | rwx |
|
|
|
- |
| activationmanager.dll | 0x7ffc48f30000 | 0x7ffc48f8dfff | Memory Mapped File | rwx |
|
|
|
- |
| edputil.dll | 0x7ffc48f90000 | 0x7ffc48fbefff | Memory Mapped File | rwx |
|
|
|
- |
| clipboardserver.dll | 0x7ffc48fc0000 | 0x7ffc48feffff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffc48ff0000 | 0x7ffc49459fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.shell.servicehostbuilder.dll | 0x7ffc49460000 | 0x7ffc49471fff | Memory Mapped File | rwx |
|
|
|
- |
| desktopshellext.dll | 0x7ffc49480000 | 0x7ffc49496fff | Memory Mapped File | rwx |
|
|
|
- |
| coreuicomponents.dll | 0x7ffc49bb0000 | 0x7ffc49e10fff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandbrokerclient.dll | 0x7ffc4b000000 | 0x7ffc4b010fff | Memory Mapped File | rwx |
|
|
|
- |
| notificationplatformcomponent.dll | 0x7ffc4b020000 | 0x7ffc4b02cfff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ffc4b030000 | 0x7ffc4b072fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ffc4ddd0000 | 0x7ffc4e145fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp110_win.dll | 0x7ffc4f8f0000 | 0x7ffc4f981fff | Memory Mapped File | rwx |
|
|
|
- |
| policymanager.dll | 0x7ffc4f990000 | 0x7ffc4f9c8fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ffc50c00000 | 0x7ffc50d30fff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrproxy.dll | 0x7ffc50d40000 | 0x7ffc50d7dfff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ffc51340000 | 0x7ffc513b1fff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrcli.dll | 0x7ffc51410000 | 0x7ffc5141ffff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ffc525f0000 | 0x7ffc52611fff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ffc52730000 | 0x7ffc527f7fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ffc52f40000 | 0x7ffc5302dfff | Memory Mapped File | rwx |
|
|
|
- |
| rmclient.dll | 0x7ffc531b0000 | 0x7ffc531d7fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc53810000 | 0x7ffc5382bfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffc53920000 | 0x7ffc53951fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\fkgcs.exe | 0x61c | address = 0x7ff6ad000000, size = 3760128 |
|
1 | |
| Create Remote Thread | #1: c:\users\ciihmnxmn6ps\desktop\fkgcs.exe | 0x61c | address = 0x7ff6ad002870 |
|
1 |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\users\Public\sys | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
Host Behavior
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\users\Public\sys | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN |
|
1 | |
| Create | C:\users\Public\sys | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN |
|
1 |
Module (78)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffc55800000 |
|
1 | |
| Load | mpr.dll | base_address = 0x7ffc53810000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x7ffc57aa0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7ffc57750000 |
|
1 | |
| Load | Shell32.dll | base_address = 0x7ffc559d0000 |
|
1 | |
| Load | Iphlpapi.dll | base_address = 0x7ffc51c50000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7ffc55822080 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7ffc55816060 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualFree, address_out = 0x7ffc5581bc10 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptExportKey, address_out = 0x7ffc57ab7b50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileW, address_out = 0x7ffc558257a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDriveTypeW, address_out = 0x7ffc558258f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCommandLineW, address_out = 0x7ffc55820150 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetStartupInfoW, address_out = 0x7ffc5581ed80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileW, address_out = 0x7ffc55825880 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualAlloc, address_out = 0x7ffc5581baf0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7ffc57acec40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ExitProcess, address_out = 0x7ffc5581ef50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffc558436a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x7ffc5581d5b0 |
|
1 | |
| Get Address | c:\windows\system32\iphlpapi.dll | function = GetIpNetTable, address_out = 0x7ffc51c6f0b0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x7ffc5581aa30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffc55843690 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDefaultLangID, address_out = 0x7ffc55822ba0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameW, address_out = 0x7ffc57abda40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x7ffc55825a90 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegQueryValueExA, address_out = 0x7ffc57ab7dd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7ffc55825510 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegSetValueExW, address_out = 0x7ffc57ab7850 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7ffc57ab72e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7ffc5583e430 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesW, address_out = 0x7ffc55825b00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WinExec, address_out = 0x7ffc55841e60 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDeriveKey, address_out = 0x7ffc57ad07a0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGenKey, address_out = 0x7ffc57abcab0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Sleep, address_out = 0x7ffc55818f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcess, address_out = 0x7ffc55816580 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteW, address_out = 0x7ffc55b1abc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x7ffc55825950 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GlobalAlloc, address_out = 0x7ffc5581b810 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x7ffc558257c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForMultipleObjects, address_out = 0x7ffc558256e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameA, address_out = 0x7ffc55820c70 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteA, address_out = 0x7ffc55bd7de0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x7ffc5581e6d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameW, address_out = 0x7ffc5581eca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7ffc55825760 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSizeEx, address_out = 0x7ffc55825960 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x7ffc55825b80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalDrives, address_out = 0x7ffc558166d0 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetEnumResourceW, address_out = 0x7ffc538127d0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7ffc57ab6cb0 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetCloseEnum, address_out = 0x7ffc53812e20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x7ffc55822940 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x7ffc55825af0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExA, address_out = 0x7ffc57ab7d70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7ffc55825b20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount, address_out = 0x7ffc558160a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesW, address_out = 0x7ffc55825930 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileW, address_out = 0x7ffc55825840 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextW, address_out = 0x7ffc57ab89e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MoveFileExW, address_out = 0x7ffc55823010 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetOpenEnumW, address_out = 0x7ffc53812f20 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoInitialize, address_out = 0x7ffc57763870 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDecrypt, address_out = 0x7ffc57ab9140 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptImportKey, address_out = 0x7ffc57ab7b40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointerEx, address_out = 0x7ffc55825b30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileW, address_out = 0x7ffc55825d70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibrary, address_out = 0x7ffc5581eb90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessW, address_out = 0x7ffc5581dee0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryW, address_out = 0x7ffc55825740 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThread, address_out = 0x7ffc5581bc20 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDestroyKey, address_out = 0x7ffc57ab86b0 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x7ffc57257000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileW, address_out = 0x7ffc55825770 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesA, address_out = 0x7ffc55825900 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptEncrypt, address_out = 0x7ffc57abd7e0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueW, address_out = 0x7ffc57ab90b0 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeBackupPrivilege, luid = 17 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 |
Process #3: taskhostw.exe
88
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\taskhostw.exe |
| Command Line | taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:06, Reason: Injection |
| Unmonitor | End Time: 00:04:41, Reason: Crashed |
| Monitor Duration | 00:03:35 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x77c |
| Parent PID | 0x324 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C88
0x
82C
0x
B7C
0x
AB0
0x
A2C
0x
940
0x
93C
0x
938
0x
934
0x
7B4
0x
780
0x
DDC
0x
D74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000a699760000 | 0xa699760000 | 0xa69976ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a699770000 | 0xa699770000 | 0xa699776fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a699780000 | 0xa699780000 | 0xa699793fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a6997a0000 | 0xa6997a0000 | 0xa69981ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a699820000 | 0xa699820000 | 0xa699823fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a699830000 | 0xa699830000 | 0xa699830fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a699840000 | 0xa699840000 | 0xa699841fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a699850000 | 0xa699850000 | 0xa699856fff | Private Memory | rw |
|
|
|
- |
| taskhostw.exe.mui | 0xa699860000 | 0xa699860fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a699870000 | 0xa699870000 | 0xa699870fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a699880000 | 0xa699880000 | 0xa699880fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a699890000 | 0xa699890000 | 0xa699893fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a6998a0000 | 0xa6998a0000 | 0xa6998a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a6998b0000 | 0xa6998b0000 | 0xa6999affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xa6999b0000 | 0xa699a6dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a699a70000 | 0xa699a70000 | 0xa699aeffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a699af0000 | 0xa699af0000 | 0xa699b6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a699b70000 | 0xa699b70000 | 0xa699c27fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a699c30000 | 0xa699c30000 | 0xa699c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a699c40000 | 0xa699c40000 | 0xa699c40fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a699c50000 | 0xa699c50000 | 0xa699c50fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a699c60000 | 0xa699c60000 | 0xa699c60fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a699c70000 | 0xa699c70000 | 0xa699c7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a699c80000 | 0xa699c80000 | 0xa699e07fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a699e10000 | 0xa699e10000 | 0xa699f90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a699fa0000 | 0xa699fa0000 | 0xa69b39ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a69b3a0000 | 0xa69b3a0000 | 0xa69b41ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69b420000 | 0xa69b420000 | 0xa69b420fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a69b430000 | 0xa69b430000 | 0xa69b43ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69b440000 | 0xa69b440000 | 0xa69b44ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69b450000 | 0xa69b450000 | 0xa69b45ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69b460000 | 0xa69b460000 | 0xa69b46ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69b470000 | 0xa69b470000 | 0xa69b47ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69b480000 | 0xa69b480000 | 0xa69b48ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a69b490000 | 0xa69b490000 | 0xa69b497fff | Private Memory | rw |
|
|
|
- |
| winmm.dll.mui | 0xa69b4a0000 | 0xa69b4a5fff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa69b4b0000 | 0xa69b4bffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa69b4c0000 | 0xa69b4cffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000a69b4d0000 | 0xa69b4d0000 | 0xa69b4dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa69b4e0000 | 0xa69b4effff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa69b4f0000 | 0xa69b4fffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa69b500000 | 0xa69b50ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa69b510000 | 0xa69b51ffff | Memory Mapped File | r |
|
|
|
- |
| sortdefault.nls | 0xa69b520000 | 0xa69b856fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a69b860000 | 0xa69b860000 | 0xa69b8dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69b8e0000 | 0xa69b8e0000 | 0xa69b95ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69b960000 | 0xa69b960000 | 0xa69ba5ffff | Private Memory | rw |
|
|
|
- |
| msctfmonitor.dll.mui | 0xa69ba60000 | 0xa69ba60fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a69ba70000 | 0xa69ba70000 | 0xa69baeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a69baf0000 | 0xa69baf0000 | 0xa69baf0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a69bb00000 | 0xa69bb00000 | 0xa69bb06fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a69bb10000 | 0xa69bb10000 | 0xa69bb1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69bb20000 | 0xa69bb20000 | 0xa69bb2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69bb30000 | 0xa69bb30000 | 0xa69bb3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69bb40000 | 0xa69bb40000 | 0xa69bb4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69bb50000 | 0xa69bb50000 | 0xa69bb5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69bb60000 | 0xa69bb60000 | 0xa69bb6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a69bb70000 | 0xa69bb70000 | 0xa69cb6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69cb70000 | 0xa69cb70000 | 0xa69cb70fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69cb80000 | 0xa69cb80000 | 0xa69cb80fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69cb90000 | 0xa69cb90000 | 0xa69cb93fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69cba0000 | 0xa69cba0000 | 0xa69cba1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69cbb0000 | 0xa69cbb0000 | 0xa69cbb0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69cbc0000 | 0xa69cbc0000 | 0xa69cc4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69cc50000 | 0xa69cc50000 | 0xa6a0c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a6a0c50000 | 0xa6a0c50000 | 0xa6a4c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a6a4c50000 | 0xa6a4c50000 | 0xa6a4c57fff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a4c60000 | 0xa6a4c6ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4c70000 | 0xa6a4c7ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4c80000 | 0xa6a4c8ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4c90000 | 0xa6a4c9ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4ca0000 | 0xa6a4caffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4cb0000 | 0xa6a4cbffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4cc0000 | 0xa6a4ccffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4cd0000 | 0xa6a4cdffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4ce0000 | 0xa6a4ceffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4cf0000 | 0xa6a4cfffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4d00000 | 0xa6a4d0ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4d10000 | 0xa6a4d1ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4d20000 | 0xa6a4d2ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4d30000 | 0xa6a4d3ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4d40000 | 0xa6a4d4ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4d50000 | 0xa6a4d5ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a6a4d60000 | 0xa6a4d60000 | 0xa6a4ddffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a6a4de0000 | 0xa6a4de0000 | 0xa6a4de7fff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a4df0000 | 0xa6a4dfffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4e00000 | 0xa6a4e0ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4e10000 | 0xa6a4e1ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4e20000 | 0xa6a4e2ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4e30000 | 0xa6a4e3ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4e40000 | 0xa6a4e4ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a6a4e50000 | 0xa6a4e50000 | 0xa6a4e57fff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a4e60000 | 0xa6a4e6ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4e70000 | 0xa6a4e7ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000a6a4e80000 | 0xa6a4e80000 | 0xa6a4e8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a4e90000 | 0xa6a4e9ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4ea0000 | 0xa6a4eaffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4eb0000 | 0xa6a4ebffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4ec0000 | 0xa6a4ecffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4ed0000 | 0xa6a4edffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a6a4ee0000 | 0xa6a4ee0000 | 0xa6a4f5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a6a4f60000 | 0xa6a4f60000 | 0xa6a4f6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a4f70000 | 0xa6a4f7ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4f80000 | 0xa6a4f8ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4f90000 | 0xa6a4f9ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4fa0000 | 0xa6a4faffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a6a4fb0000 | 0xa6a4fb0000 | 0xa6a502ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a6a5030000 | 0xa6a5030000 | 0xa6a50affff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a50b0000 | 0xa6a50bffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a50c0000 | 0xa6a50cffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a50d0000 | 0xa6a50dffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a50e0000 | 0xa6a50effff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a50f0000 | 0xa6a50fffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5100000 | 0xa6a510ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5110000 | 0xa6a511ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5120000 | 0xa6a512ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5130000 | 0xa6a513ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5140000 | 0xa6a514ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a6a5150000 | 0xa6a5150000 | 0xa6a524ffff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a5250000 | 0xa6a525ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5260000 | 0xa6a526ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5270000 | 0xa6a527ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5280000 | 0xa6a528ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5290000 | 0xa6a529ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a52a0000 | 0xa6a52affff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a52b0000 | 0xa6a52bffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a52c0000 | 0xa6a52cffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a52d0000 | 0xa6a52dffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a52e0000 | 0xa6a52effff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a52f0000 | 0xa6a52fffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5300000 | 0xa6a530ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5310000 | 0xa6a531ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5330000 | 0xa6a533ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5340000 | 0xa6a534ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5350000 | 0xa6a535ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5360000 | 0xa6a536ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5370000 | 0xa6a537ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5380000 | 0xa6a538ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5390000 | 0xa6a539ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a53a0000 | 0xa6a53affff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a53b0000 | 0xa6a53bffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a53c0000 | 0xa6a53cffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a53d0000 | 0xa6a53dffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a53e0000 | 0xa6a53effff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a53f0000 | 0xa6a53fffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5400000 | 0xa6a540ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a6a5410000 | 0xa6a5410000 | 0xa6a5417fff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a5420000 | 0xa6a542ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5430000 | 0xa6a543ffff | Memory Mapped File | r |
|
|
|
- |
|
For performance reasons, the remaining 68 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create Remote Thread | #1: c:\users\ciihmnxmn6ps\desktop\fkgcs.exe | 0x61c | address = 0x7ff6ad002870 |
|
1 |
Host Behavior
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\users\Public\sys | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN |
|
1 | |
| Create | C:\users\Public\sys | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN |
|
1 |
Module (78)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffc55800000 |
|
1 | |
| Load | mpr.dll | base_address = 0x7ffc53810000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x7ffc57aa0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7ffc57750000 |
|
1 | |
| Load | Shell32.dll | base_address = 0x7ffc559d0000 |
|
1 | |
| Load | Iphlpapi.dll | base_address = 0x7ffc51c50000 |
|
1 | |
| Get Address | Unknown module name | function = LoadLibraryA, address_out = 0x7ffc55822080 |
|
1 | |
| Get Address | Unknown module name | function = GetLastError, address_out = 0x7ffc55816060 |
|
1 | |
| Get Address | Unknown module name | function = VirtualFree, address_out = 0x7ffc5581bc10 |
|
1 | |
| Get Address | Unknown module name | function = CryptExportKey, address_out = 0x7ffc57ab7b50 |
|
1 | |
| Get Address | Unknown module name | function = DeleteFileW, address_out = 0x7ffc558257a0 |
|
1 | |
| Get Address | Unknown module name | function = GetDriveTypeW, address_out = 0x7ffc558258f0 |
|
1 | |
| Get Address | Unknown module name | function = GetCommandLineW, address_out = 0x7ffc55820150 |
|
1 | |
| Get Address | Unknown module name | function = GetStartupInfoW, address_out = 0x7ffc5581ed80 |
|
1 | |
| Get Address | Unknown module name | function = FindNextFileW, address_out = 0x7ffc55825880 |
|
1 | |
| Get Address | Unknown module name | function = VirtualAlloc, address_out = 0x7ffc5581baf0 |
|
1 | |
| Get Address | Unknown module name | function = GetUserNameA, address_out = 0x7ffc57acec40 |
|
1 | |
| Get Address | Unknown module name | function = ExitProcess, address_out = 0x7ffc5581ef50 |
|
1 | |
| Get Address | Unknown module name | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffc558436a0 |
|
1 | |
| Get Address | Unknown module name | function = CreateProcessA, address_out = 0x7ffc5581d5b0 |
|
1 | |
| Get Address | Unknown module name | function = GetIpNetTable, address_out = 0x7ffc51c6f0b0 |
|
1 | |
| Get Address | Unknown module name | function = GetVersionExW, address_out = 0x7ffc5581aa30 |
|
1 | |
| Get Address | Unknown module name | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffc55843690 |
|
1 | |
| Get Address | Unknown module name | function = GetSystemDefaultLangID, address_out = 0x7ffc55822ba0 |
|
1 | |
| Get Address | Unknown module name | function = GetUserNameW, address_out = 0x7ffc57abda40 |
|
1 | |
| Get Address | Unknown module name | function = ReadFile, address_out = 0x7ffc55825a90 |
|
1 | |
| Get Address | Unknown module name | function = RegQueryValueExA, address_out = 0x7ffc57ab7dd0 |
|
1 | |
| Get Address | Unknown module name | function = CloseHandle, address_out = 0x7ffc55825510 |
|
1 | |
| Get Address | Unknown module name | function = RegSetValueExW, address_out = 0x7ffc57ab7850 |
|
1 | |
| Get Address | Unknown module name | function = RegCloseKey, address_out = 0x7ffc57ab72e0 |
|
1 | |
| Get Address | Unknown module name | function = CopyFileA, address_out = 0x7ffc5583e430 |
|
1 | |
| Get Address | Unknown module name | function = SetFileAttributesW, address_out = 0x7ffc55825b00 |
|
1 | |
| Get Address | Unknown module name | function = WinExec, address_out = 0x7ffc55841e60 |
|
1 | |
| Get Address | Unknown module name | function = CryptDeriveKey, address_out = 0x7ffc57ad07a0 |
|
1 | |
| Get Address | Unknown module name | function = CryptGenKey, address_out = 0x7ffc57abcab0 |
|
1 | |
| Get Address | Unknown module name | function = Sleep, address_out = 0x7ffc55818f00 |
|
1 | |
| Get Address | Unknown module name | function = GetCurrentProcess, address_out = 0x7ffc55816580 |
|
1 | |
| Get Address | Unknown module name | function = ShellExecuteW, address_out = 0x7ffc55b1abc0 |
|
1 | |
| Get Address | Unknown module name | function = GetFileSize, address_out = 0x7ffc55825950 |
|
1 | |
| Get Address | Unknown module name | function = GlobalAlloc, address_out = 0x7ffc5581b810 |
|
1 | |
| Get Address | Unknown module name | function = FindClose, address_out = 0x7ffc558257c0 |
|
1 | |
| Get Address | Unknown module name | function = WaitForMultipleObjects, address_out = 0x7ffc558256e0 |
|
1 | |
| Get Address | Unknown module name | function = GetModuleFileNameA, address_out = 0x7ffc55820c70 |
|
1 | |
| Get Address | Unknown module name | function = ShellExecuteA, address_out = 0x7ffc55bd7de0 |
|
1 | |
| Get Address | Unknown module name | function = GetModuleHandleA, address_out = 0x7ffc5581e6d0 |
|
1 | |
| Get Address | Unknown module name | function = GetModuleFileNameW, address_out = 0x7ffc5581eca0 |
|
1 | |
| Get Address | Unknown module name | function = CreateFileA, address_out = 0x7ffc55825760 |
|
1 | |
| Get Address | Unknown module name | function = GetFileSizeEx, address_out = 0x7ffc55825960 |
|
1 | |
| Get Address | Unknown module name | function = WriteFile, address_out = 0x7ffc55825b80 |
|
1 | |
| Get Address | Unknown module name | function = GetLogicalDrives, address_out = 0x7ffc558166d0 |
|
1 | |
| Get Address | Unknown module name | function = WNetEnumResourceW, address_out = 0x7ffc538127d0 |
|
1 | |
| Get Address | Unknown module name | function = RegOpenKeyExW, address_out = 0x7ffc57ab6cb0 |
|
1 | |
| Get Address | Unknown module name | function = WNetCloseEnum, address_out = 0x7ffc53812e20 |
|
1 | |
| Get Address | Unknown module name | function = GetWindowsDirectoryW, address_out = 0x7ffc55822940 |
|
1 | |
| Get Address | Unknown module name | function = SetFileAttributesA, address_out = 0x7ffc55825af0 |
|
1 | |
| Get Address | Unknown module name | function = RegOpenKeyExA, address_out = 0x7ffc57ab7d70 |
|
1 | |
| Get Address | Unknown module name | function = SetFilePointer, address_out = 0x7ffc55825b20 |
|
1 | |
| Get Address | Unknown module name | function = GetTickCount, address_out = 0x7ffc558160a0 |
|
1 | |
| Get Address | Unknown module name | function = GetFileAttributesW, address_out = 0x7ffc55825930 |
|
1 | |
| Get Address | Unknown module name | function = FindFirstFileW, address_out = 0x7ffc55825840 |
|
1 | |
| Get Address | Unknown module name | function = CryptAcquireContextW, address_out = 0x7ffc57ab89e0 |
|
1 | |
| Get Address | Unknown module name | function = MoveFileExW, address_out = 0x7ffc55823010 |
|
1 | |
| Get Address | Unknown module name | function = WNetOpenEnumW, address_out = 0x7ffc53812f20 |
|
1 | |
| Get Address | Unknown module name | function = CoInitialize, address_out = 0x7ffc57763870 |
|
1 | |
| Get Address | Unknown module name | function = CryptDecrypt, address_out = 0x7ffc57ab9140 |
|
1 | |
| Get Address | Unknown module name | function = CryptImportKey, address_out = 0x7ffc57ab7b40 |
|
1 | |
| Get Address | Unknown module name | function = SetFilePointerEx, address_out = 0x7ffc55825b30 |
|
1 | |
| Get Address | Unknown module name | function = CopyFileW, address_out = 0x7ffc55825d70 |
|
1 | |
| Get Address | Unknown module name | function = FreeLibrary, address_out = 0x7ffc5581eb90 |
|
1 | |
| Get Address | Unknown module name | function = CreateProcessW, address_out = 0x7ffc5581dee0 |
|
1 | |
| Get Address | Unknown module name | function = CreateDirectoryW, address_out = 0x7ffc55825740 |
|
1 | |
| Get Address | Unknown module name | function = CreateThread, address_out = 0x7ffc5581bc20 |
|
1 | |
| Get Address | Unknown module name | function = CryptDestroyKey, address_out = 0x7ffc57ab86b0 |
|
1 | |
| Get Address | Unknown module name | function = CoCreateInstance, address_out = 0x7ffc57257000 |
|
1 | |
| Get Address | Unknown module name | function = CreateFileW, address_out = 0x7ffc55825770 |
|
1 | |
| Get Address | Unknown module name | function = GetFileAttributesA, address_out = 0x7ffc55825900 |
|
1 | |
| Get Address | Unknown module name | function = CryptEncrypt, address_out = 0x7ffc57abd7e0 |
|
1 | |
| Get Address | Unknown module name | function = RegDeleteValueW, address_out = 0x7ffc57ab90b0 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeBackupPrivilege, luid = 17 |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| Sleep | duration = 25000 milliseconds (25.000 seconds) |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
2 |
Process #4: net.exe
0
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "spooler" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:06, Reason: Child Process |
| Unmonitor | End Time: 00:01:20, Reason: Self Terminated |
| Monitor Duration | 00:00:14 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe4c |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E44
0x
F04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000cb42380000 | 0xcb42380000 | 0xcb4239ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cb42380000 | 0xcb42380000 | 0xcb4238ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000cb423a0000 | 0xcb423a0000 | 0xcb423b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000cb423c0000 | 0xcb423c0000 | 0xcb4243ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cb42440000 | 0xcb42440000 | 0xcb42443fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000cb42450000 | 0xcb42450000 | 0xcb42450fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000cb42460000 | 0xcb42460000 | 0xcb42461fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xcb42470000 | 0xcb4252dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000cb42570000 | 0xcb42570000 | 0xcb4266ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff0f0000 | 0x7df5ff0f0000 | 0x7ff5ff0effff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d64e0000 | 0x7ff6d64e0000 | 0x7ff6d65dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d65e0000 | 0x7ff6d65e0000 | 0x7ff6d6602fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6607000 | 0x7ff6d6607000 | 0x7ff6d6607fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d660e000 | 0x7ff6d660e000 | 0x7ff6d660ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #5: net.exe
0
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:07, Reason: Child Process |
| Unmonitor | End Time: 00:01:26, Reason: Self Terminated |
| Monitor Duration | 00:00:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe2c |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E28
0x
EF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000e152660000 | 0xe152660000 | 0xe15267ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e152660000 | 0xe152660000 | 0xe15266ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000e152670000 | 0xe152670000 | 0xe152676fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e152680000 | 0xe152680000 | 0xe152693fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e1526a0000 | 0xe1526a0000 | 0xe15271ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e152720000 | 0xe152720000 | 0xe152723fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e152730000 | 0xe152730000 | 0xe152730fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e152740000 | 0xe152740000 | 0xe152741fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xe152750000 | 0xe15280dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e152810000 | 0xe152810000 | 0xe152816fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e152820000 | 0xe152820000 | 0xe15291ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e152920000 | 0xe152920000 | 0xe15299ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e152a30000 | 0xe152a30000 | 0xe152a3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff720000 | 0x7df5ff720000 | 0x7ff5ff71ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d69f0000 | 0x7ff6d69f0000 | 0x7ff6d6aeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6af0000 | 0x7ff6d6af0000 | 0x7ff6d6b12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6b19000 | 0x7ff6d6b19000 | 0x7ff6d6b19fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d6b1c000 | 0x7ff6d6b1c000 | 0x7ff6d6b1dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d6b1e000 | 0x7ff6d6b1e000 | 0x7ff6d6b1ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc3e660000 | 0x7ffc3e673fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc53810000 | 0x7ffc5382bfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #6: runtimebroker.exe
140
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\system32\runtimebroker.exe |
| Command Line | C:\Windows\System32\RuntimeBroker.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:07, Reason: Injection |
| Unmonitor | End Time: 00:04:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:34 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7f8 |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C10
0x
7B8
0x
FFC
0x
A30
0x
A1C
0x
854
0x
83C
0x
808
0x
11C
0x
DB8
0x
3310
0x
5DF4
0x
5E6C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000003cd1d40000 | 0x3cd1d40000 | 0x3cd1d4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000003cd1d50000 | 0x3cd1d50000 | 0x3cd1d50fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd1d60000 | 0x3cd1d60000 | 0x3cd1d73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003cd1d80000 | 0x3cd1d80000 | 0x3cd1dfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd1e00000 | 0x3cd1e00000 | 0x3cd1e03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000003cd1e10000 | 0x3cd1e10000 | 0x3cd1e11fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003cd1e20000 | 0x3cd1e20000 | 0x3cd1e21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd1e30000 | 0x3cd1e30000 | 0x3cd1e36fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x3cd1e40000 | 0x3cd1efdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003cd1f00000 | 0x3cd1f00000 | 0x3cd1ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd2000000 | 0x3cd2000000 | 0x3cd207ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd2080000 | 0x3cd2080000 | 0x3cd20fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd2100000 | 0x3cd2100000 | 0x3cd2100fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd2110000 | 0x3cd2110000 | 0x3cd2110fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x3cd2120000 | 0x3cd2123fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db | 0x3cd2130000 | 0x3cd2172fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x3cd2180000 | 0x3cd2183fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000003cd2190000 | 0x3cd2190000 | 0x3cd2190fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd21a0000 | 0x3cd21a0000 | 0x3cd21a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000003cd21b0000 | 0x3cd21b0000 | 0x3cd21d9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd21e0000 | 0x3cd21e0000 | 0x3cd21e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003cd21f0000 | 0x3cd21f0000 | 0x3cd21f6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd2200000 | 0x3cd2200000 | 0x3cd2206fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd2210000 | 0x3cd2210000 | 0x3cd228ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd2290000 | 0x3cd2290000 | 0x3cd2290fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd22a0000 | 0x3cd22a0000 | 0x3cd22a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| windows.storage.dll.mui | 0x3cd22b0000 | 0x3cd22b7fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000003cd22c0000 | 0x3cd22c0000 | 0x3cd22c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003cd22d0000 | 0x3cd22d0000 | 0x3cd22d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd22e0000 | 0x3cd22e0000 | 0x3cd22e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003cd22f0000 | 0x3cd22f0000 | 0x3cd22f8fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd2300000 | 0x3cd2300000 | 0x3cd23fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd2400000 | 0x3cd2400000 | 0x3cd2587fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000003cd2590000 | 0x3cd2590000 | 0x3cd2710fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000003cd2720000 | 0x3cd2720000 | 0x3cd3b1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x3cd3b20000 | 0x3cd3e56fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003cd3e60000 | 0x3cd3e60000 | 0x3cd3edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd3ee0000 | 0x3cd3ee0000 | 0x3cd3f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd3f60000 | 0x3cd3f60000 | 0x3cd3fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd3fe0000 | 0x3cd3fe0000 | 0x3cd40dffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x3cd40e0000 | 0x3cd40e3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003cd40f0000 | 0x3cd40f0000 | 0x3cd40f8fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd4100000 | 0x3cd4100000 | 0x3cd41fffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x3cd4200000 | 0x3cd428afff | Memory Mapped File | r |
|
|
|
- |
| shell32.dll.mui | 0x3cd4290000 | 0x3cd42f0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003cd4300000 | 0x3cd4300000 | 0x3cd437ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd4380000 | 0x3cd4380000 | 0x3cd43fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd4400000 | 0x3cd4400000 | 0x3cd4423fff | Private Memory | rw |
|
|
|
- |
| propsys.dll.mui | 0x3cd4430000 | 0x3cd4440fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000003cd4450000 | 0x3cd4450000 | 0x3cd4453fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000003cd4460000 | 0x3cd4460000 | 0x3cd455ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd4560000 | 0x3cd4560000 | 0x3cd4583fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd4600000 | 0x3cd4600000 | 0x3cd46fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd4700000 | 0x3cd4700000 | 0x3cd47fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd4800000 | 0x3cd4800000 | 0x3cd48fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd4900000 | 0x3cd4900000 | 0x3cd497ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffbe0000 | 0x7df5ffbe0000 | 0x7ff5ffbdffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff609b86000 | 0x7ff609b86000 | 0x7ff609b87fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609b88000 | 0x7ff609b88000 | 0x7ff609b89fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609b8a000 | 0x7ff609b8a000 | 0x7ff609b8bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609b8c000 | 0x7ff609b8c000 | 0x7ff609b8dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609b8e000 | 0x7ff609b8e000 | 0x7ff609b8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff609b90000 | 0x7ff609b90000 | 0x7ff609c8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff609c90000 | 0x7ff609c90000 | 0x7ff609cb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff609cb4000 | 0x7ff609cb4000 | 0x7ff609cb5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609cb6000 | 0x7ff609cb6000 | 0x7ff609cb7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609cb8000 | 0x7ff609cb8000 | 0x7ff609cb9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609cba000 | 0x7ff609cba000 | 0x7ff609cbbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609cbc000 | 0x7ff609cbc000 | 0x7ff609cbdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609cbe000 | 0x7ff609cbe000 | 0x7ff609cbefff | Private Memory | rw |
|
|
|
- |
| runtimebroker.exe | 0x7ff60a170000 | 0x7ff60a185fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff6ad000000 | 0x7ff6ad000000 | 0x7ff6ad395fff | Private Memory | rwx |
|
|
|
- |
| ntoskrnl.exe | 0x7ff6efa30000 | 0x7ff6f0281fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.search.dll | 0x7ffc3f1f0000 | 0x7ffc3f2bafff | Memory Mapped File | rwx |
|
|
|
- |
| structuredquery.dll | 0x7ffc40ad0000 | 0x7ffc40b86fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.networking.hostname.dll | 0x7ffc42260000 | 0x7ffc42297fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.internal.shell.broker.dll | 0x7ffc44180000 | 0x7ffc44211fff | Memory Mapped File | rwx |
|
|
|
- |
| authbroker.dll | 0x7ffc44ce0000 | 0x7ffc44d05fff | Memory Mapped File | rwx |
|
|
|
- |
| msauserext.dll | 0x7ffc44d10000 | 0x7ffc44d29fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.security.authentication.onlineid.dll | 0x7ffc44de0000 | 0x7ffc44e92fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.networking.connectivity.dll | 0x7ffc469c0000 | 0x7ffc46a6bfff | Memory Mapped File | rwx |
|
|
|
- |
| wwapi.dll | 0x7ffc46cf0000 | 0x7ffc46d05fff | Memory Mapped File | rwx |
|
|
|
- |
| tokenbroker.dll | 0x7ffc486a0000 | 0x7ffc48765fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffc48ff0000 | 0x7ffc49459fff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ffc4b030000 | 0x7ffc4b072fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ffc4b090000 | 0x7ffc4b09dfff | Memory Mapped File | rwx |
|
|
|
- |
| wlanapi.dll | 0x7ffc4b170000 | 0x7ffc4b1cefff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x7ffc4b290000 | 0x7ffc4b536fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ffc4c220000 | 0x7ffc4c25efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| idstore.dll | 0x7ffc4cf00000 | 0x7ffc4cf26fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.immersive.dll | 0x7ffc4dc10000 | 0x7ffc4ddc6fff | Memory Mapped File | rwx |
|
|
|
- |
| mrmcorer.dll | 0x7ffc4f1f0000 | 0x7ffc4f2fefff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x7ffc50bd0000 | 0x7ffc50bebfff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ffc50c00000 | 0x7ffc50d30fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ffc51340000 | 0x7ffc513b1fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| windowscodecs.dll | 0x7ffc51e70000 | 0x7ffc52021fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ffc52640000 | 0x7ffc52652fff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ffc52730000 | 0x7ffc527f7fff | Memory Mapped File | rwx |
|
|
|
- |
| sppc.dll | 0x7ffc52bd0000 | 0x7ffc52bf4fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7ffc52c00000 | 0x7ffc52c25fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ffc52cd0000 | 0x7ffc52d47fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc53810000 | 0x7ffc5382bfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7ffc54440000 | 0x7ffc544d7fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create Remote Thread | #1: c:\users\ciihmnxmn6ps\desktop\fkgcs.exe | 0x61c | address = 0x7ff6ad002870 |
|
1 |
Host Behavior
File (20)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\users\Public\sys | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN |
|
20 |
Module (78)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffc55800000 |
|
1 | |
| Load | mpr.dll | base_address = 0x7ffc53810000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x7ffc57aa0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7ffc57750000 |
|
1 | |
| Load | Shell32.dll | base_address = 0x7ffc559d0000 |
|
1 | |
| Load | Iphlpapi.dll | base_address = 0x7ffc51c50000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7ffc55822080 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7ffc55816060 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualFree, address_out = 0x7ffc5581bc10 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptExportKey, address_out = 0x7ffc57ab7b50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileW, address_out = 0x7ffc558257a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDriveTypeW, address_out = 0x7ffc558258f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCommandLineW, address_out = 0x7ffc55820150 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetStartupInfoW, address_out = 0x7ffc5581ed80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileW, address_out = 0x7ffc55825880 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualAlloc, address_out = 0x7ffc5581baf0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7ffc57acec40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ExitProcess, address_out = 0x7ffc5581ef50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffc558436a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x7ffc5581d5b0 |
|
1 | |
| Get Address | c:\windows\system32\iphlpapi.dll | function = GetIpNetTable, address_out = 0x7ffc51c6f0b0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x7ffc5581aa30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffc55843690 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDefaultLangID, address_out = 0x7ffc55822ba0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameW, address_out = 0x7ffc57abda40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x7ffc55825a90 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegQueryValueExA, address_out = 0x7ffc57ab7dd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7ffc55825510 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegSetValueExW, address_out = 0x7ffc57ab7850 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7ffc57ab72e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7ffc5583e430 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesW, address_out = 0x7ffc55825b00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WinExec, address_out = 0x7ffc55841e60 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDeriveKey, address_out = 0x7ffc57ad07a0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGenKey, address_out = 0x7ffc57abcab0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Sleep, address_out = 0x7ffc55818f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcess, address_out = 0x7ffc55816580 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteW, address_out = 0x7ffc55b1abc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x7ffc55825950 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GlobalAlloc, address_out = 0x7ffc5581b810 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x7ffc558257c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForMultipleObjects, address_out = 0x7ffc558256e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameA, address_out = 0x7ffc55820c70 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteA, address_out = 0x7ffc55bd7de0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x7ffc5581e6d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameW, address_out = 0x7ffc5581eca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7ffc55825760 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSizeEx, address_out = 0x7ffc55825960 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x7ffc55825b80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalDrives, address_out = 0x7ffc558166d0 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetEnumResourceW, address_out = 0x7ffc538127d0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7ffc57ab6cb0 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetCloseEnum, address_out = 0x7ffc53812e20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x7ffc55822940 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x7ffc55825af0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExA, address_out = 0x7ffc57ab7d70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7ffc55825b20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount, address_out = 0x7ffc558160a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesW, address_out = 0x7ffc55825930 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileW, address_out = 0x7ffc55825840 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextW, address_out = 0x7ffc57ab89e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MoveFileExW, address_out = 0x7ffc55823010 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetOpenEnumW, address_out = 0x7ffc53812f20 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoInitialize, address_out = 0x7ffc57763870 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDecrypt, address_out = 0x7ffc57ab9140 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptImportKey, address_out = 0x7ffc57ab7b40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointerEx, address_out = 0x7ffc55825b30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileW, address_out = 0x7ffc55825d70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibrary, address_out = 0x7ffc5581eb90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessW, address_out = 0x7ffc5581dee0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryW, address_out = 0x7ffc55825740 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThread, address_out = 0x7ffc5581bc20 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDestroyKey, address_out = 0x7ffc57ab86b0 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x7ffc57257000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileW, address_out = 0x7ffc55825770 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesA, address_out = 0x7ffc55825900 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptEncrypt, address_out = 0x7ffc57abd7e0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueW, address_out = 0x7ffc57ab90b0 |
|
1 |
System (42)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| Sleep | duration = 25000 milliseconds (25.000 seconds) |
|
20 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
20 |
Process #9: net.exe
0
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:01:19, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb4 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D7C
0x
DD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000dbe7fb0000 | 0xdbe7fb0000 | 0xdbe7fcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dbe7fb0000 | 0xdbe7fb0000 | 0xdbe7fbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000dbe7fd0000 | 0xdbe7fd0000 | 0xdbe7fe3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000dbe7ff0000 | 0xdbe7ff0000 | 0xdbe806ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dbe8070000 | 0xdbe8070000 | 0xdbe8073fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dbe8080000 | 0xdbe8080000 | 0xdbe8080fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000dbe8090000 | 0xdbe8090000 | 0xdbe8091fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xdbe80a0000 | 0xdbe815dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000dbe8160000 | 0xdbe8160000 | 0xdbe825ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff610000 | 0x7df5ff610000 | 0x7ff5ff60ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6470000 | 0x7ff6d6470000 | 0x7ff6d656ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6570000 | 0x7ff6d6570000 | 0x7ff6d6592fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d659d000 | 0x7ff6d659d000 | 0x7ff6d659efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d659f000 | 0x7ff6d659f000 | 0x7ff6d659ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #11: shellexperiencehost.exe
0
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe |
| Command Line | "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca |
| Initial Working Directory | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:01:15, Reason: Injection |
| Unmonitor | End Time: 00:04:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:26 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x980 |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
2E0
0x
53C
0x
7A4
0x
BFC
0x
BF4
0x
BF0
0x
BEC
0x
BE8
0x
BE4
0x
BE0
0x
BDC
0x
BD8
0x
BD4
0x
BD0
0x
BCC
0x
BC8
0x
BC4
0x
BC0
0x
BBC
0x
BB8
0x
BB4
0x
BB0
0x
BA0
0x
B9C
0x
B98
0x
B94
0x
B34
0x
B1C
0x
B0C
0x
9D0
0x
9C8
0x
9C4
0x
9C0
0x
9BC
0x
9B0
0x
9AC
0x
9A8
0x
9A4
0x
9A0
0x
99C
0x
998
0x
994
0x
990
0x
984
0x
1E0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000da54c90000 | 0xda54c90000 | 0xda54c9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000da54ca0000 | 0xda54ca0000 | 0xda54ca0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da54cb0000 | 0xda54cb0000 | 0xda54cc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000da54cd0000 | 0xda54cd0000 | 0xda54dcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da54dd0000 | 0xda54dd0000 | 0xda54dd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000da54de0000 | 0xda54de0000 | 0xda54de1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000da54df0000 | 0xda54df0000 | 0xda54df0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da54e00000 | 0xda54e00000 | 0xda54e29fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000da54e30000 | 0xda54e30000 | 0xda54e30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000da54e40000 | 0xda54e40000 | 0xda54e40fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000da54e50000 | 0xda54e50000 | 0xda54e50fff | Pagefile Backed Memory | rw |
|
|
|
- |
| 2504515037.pri | 0xda54e60000 | 0xda54e6bfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000da54e70000 | 0xda54e70000 | 0xda54e70fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000da54e80000 | 0xda54e80000 | 0xda54e86fff | Private Memory | rw |
|
|
|
- |
| private_0x000000da54e90000 | 0xda54e90000 | 0xda54e90fff | Private Memory | rw |
|
|
|
- |
| private_0x000000da54ea0000 | 0xda54ea0000 | 0xda54ea0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da54eb0000 | 0xda54eb0000 | 0xda54eb0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| resources.en-us.pri | 0xda54ed0000 | 0xda54edcfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000da54ee0000 | 0xda54ee0000 | 0xda54ee1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| windows.ui.xaml.dll.mui | 0xda54ef0000 | 0xda54ef9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000da54f00000 | 0xda54f00000 | 0xda54ffffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xda55000000 | 0xda550bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000da550c0000 | 0xda550c0000 | 0xda551bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da551c0000 | 0xda551c0000 | 0xda55347fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000da55350000 | 0xda55350000 | 0xda5535ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000da55360000 | 0xda55360000 | 0xda5536ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000da55370000 | 0xda55370000 | 0xda5537ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| tilecache_100_0_header.bin | 0xda55380000 | 0xda55382fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000da55390000 | 0xda55390000 | 0xda55390fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da553a0000 | 0xda553a0000 | 0xda553a3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000da553b0000 | 0xda553b0000 | 0xda553b6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da553c0000 | 0xda553c0000 | 0xda553f1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000da55400000 | 0xda55400000 | 0xda554fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da55500000 | 0xda55500000 | 0xda55680fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000da55690000 | 0xda55690000 | 0xda56a8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000da56a90000 | 0xda56a90000 | 0xda56b8ffff | Private Memory | rw |
|
|
|
- |
| windows.ui.xaml.resources.dll | 0xda56b90000 | 0xda56cc6fff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0xda56cd0000 | 0xda56daefff | Memory Mapped File | r |
|
|
|
- |
| sortdefault.nls | 0xda56db0000 | 0xda570e6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000da570f0000 | 0xda570f0000 | 0xda571effff | Private Memory | rw |
|
|
|
- |
| private_0x000000da571f0000 | 0xda571f0000 | 0xda572effff | Private Memory | rw |
|
|
|
- |
| private_0x000000da572f0000 | 0xda572f0000 | 0xda573effff | Private Memory | rw |
|
|
|
- |
| private_0x000000da573f0000 | 0xda573f0000 | 0xda574effff | Private Memory | rw |
|
|
|
- |
| private_0x000000da574f0000 | 0xda574f0000 | 0xda575effff | Private Memory | rw |
|
|
|
- |
| private_0x000000da575f0000 | 0xda575f0000 | 0xda575f0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da57600000 | 0xda57600000 | 0xda57603fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000da57610000 | 0xda57610000 | 0xda57616fff | Private Memory | rw |
|
|
|
- |
| resources.pri | 0xda57620000 | 0xda576f3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000da57700000 | 0xda57700000 | 0xda577fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da57800000 | 0xda57800000 | 0xda57ffffff | Private Memory | - |
|
|
|
- |
| private_0x000000da58000000 | 0xda58000000 | 0xda580fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58100000 | 0xda58100000 | 0xda581fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58200000 | 0xda58200000 | 0xda582fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58300000 | 0xda58300000 | 0xda583fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58400000 | 0xda58400000 | 0xda584fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58500000 | 0xda58500000 | 0xda585fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58600000 | 0xda58600000 | 0xda586fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58700000 | 0xda58700000 | 0xda587fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58800000 | 0xda58800000 | 0xda588fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58900000 | 0xda58900000 | 0xda589fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58b00000 | 0xda58b00000 | 0xda58bfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58c00000 | 0xda58c00000 | 0xda58cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58e00000 | 0xda58e00000 | 0xda58efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da59100000 | 0xda59100000 | 0xda591fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da59200000 | 0xda59200000 | 0xda59200fff | Private Memory | rw |
|
|
|
- |
| private_0x000000da59220000 | 0xda59220000 | 0xda59220fff | Private Memory | rw |
|
|
|
- |
| private_0x000000da59230000 | 0xda59230000 | 0xda59230fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da59240000 | 0xda59240000 | 0xda59243fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000da59250000 | 0xda59250000 | 0xda59250fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da59260000 | 0xda59260000 | 0xda59263fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000da59270000 | 0xda59270000 | 0xda59276fff | Private Memory | rw |
|
|
|
- |
| ~fontcache-system.dat | 0xda59280000 | 0xda592f5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000da59300000 | 0xda59300000 | 0xda593fffff | Private Memory | rw |
|
|
|
- |
| segoeui.ttf | 0xda59400000 | 0xda594defff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000da594e0000 | 0xda594e0000 | 0xda594e6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da594f0000 | 0xda594f0000 | 0xda594f3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000da59500000 | 0xda59500000 | 0xda595fffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-fontface.dat | 0xda59600000 | 0xda5a5fffff | Memory Mapped File | r |
|
|
|
- |
| ~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat | 0xda5a600000 | 0xda5adfffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000da5ae00000 | 0xda5ae00000 | 0xda5aefffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5af00000 | 0xda5af00000 | 0xda5affffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5b000000 | 0xda5b000000 | 0xda5b0fffff | Private Memory | rw |
|
|
|
- |
| tilecache_100_0_data.bin | 0xda5b100000 | 0xda5b1fffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x000000da5b200000 | 0xda5b200000 | 0xda5b4bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000da5b4c0000 | 0xda5b4c0000 | 0xda5b5bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5b5c0000 | 0xda5b5c0000 | 0xda5b6bffff | Private Memory | rw |
|
|
|
- |
| msxml6r.dll | 0xda5b6c0000 | 0xda5b6c0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000da5b700000 | 0xda5b700000 | 0xda5b7fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5b800000 | 0xda5b800000 | 0xda5b8fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5b900000 | 0xda5b900000 | 0xda5b97ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5ba00000 | 0xda5ba00000 | 0xda5bafffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5bb00000 | 0xda5bb00000 | 0xda5bbfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5bc00000 | 0xda5bc00000 | 0xda5bcfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5bd00000 | 0xda5bd00000 | 0xda5bdfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5be00000 | 0xda5be00000 | 0xda5befffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5bf00000 | 0xda5bf00000 | 0xda5bffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5c000000 | 0xda5c000000 | 0xda5c0fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5c100000 | 0xda5c100000 | 0xda5c1fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5c200000 | 0xda5c200000 | 0xda5c2fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5c300000 | 0xda5c300000 | 0xda5c3fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5c400000 | 0xda5c400000 | 0xda5c4fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5c500000 | 0xda5c500000 | 0xda5c5fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5c600000 | 0xda5c600000 | 0xda5c6fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5c700000 | 0xda5c700000 | 0xda5c7fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5c800000 | 0xda5c800000 | 0xda5c8fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5c900000 | 0xda5c900000 | 0xda5c9fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5ca00000 | 0xda5ca00000 | 0xda5cafffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5cb00000 | 0xda5cb00000 | 0xda5cbfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5cc00000 | 0xda5cc00000 | 0xda5ccfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5cd00000 | 0xda5cd00000 | 0xda5cdfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5cf00000 | 0xda5cf00000 | 0xda5cffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5d000000 | 0xda5d000000 | 0xda5d0fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5d1d0000 | 0xda5d1d0000 | 0xda5d1d6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5d200000 | 0xda5d200000 | 0xda5d2fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5d300000 | 0xda5d300000 | 0xda5d3fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5d400000 | 0xda5d400000 | 0xda5d4fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5d500000 | 0xda5d500000 | 0xda5d5fffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631eca000 | 0x7ff631eca000 | 0x7ff631ecbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ecc000 | 0x7ff631ecc000 | 0x7ff631ecdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ece000 | 0x7ff631ece000 | 0x7ff631ecffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ed2000 | 0x7ff631ed2000 | 0x7ff631ed3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ed4000 | 0x7ff631ed4000 | 0x7ff631ed5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ed6000 | 0x7ff631ed6000 | 0x7ff631ed7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ed8000 | 0x7ff631ed8000 | 0x7ff631ed9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631eda000 | 0x7ff631eda000 | 0x7ff631edbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631edc000 | 0x7ff631edc000 | 0x7ff631eddfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ede000 | 0x7ff631ede000 | 0x7ff631edffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ee0000 | 0x7ff631ee0000 | 0x7ff631ee1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ee2000 | 0x7ff631ee2000 | 0x7ff631ee3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ee4000 | 0x7ff631ee4000 | 0x7ff631ee5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ee6000 | 0x7ff631ee6000 | 0x7ff631ee7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ee8000 | 0x7ff631ee8000 | 0x7ff631ee9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631eea000 | 0x7ff631eea000 | 0x7ff631eebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631eec000 | 0x7ff631eec000 | 0x7ff631eedfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631eee000 | 0x7ff631eee000 | 0x7ff631eeffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ef0000 | 0x7ff631ef0000 | 0x7ff631ef1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ef2000 | 0x7ff631ef2000 | 0x7ff631ef3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ef4000 | 0x7ff631ef4000 | 0x7ff631ef5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ef6000 | 0x7ff631ef6000 | 0x7ff631ef7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ef8000 | 0x7ff631ef8000 | 0x7ff631ef9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631efa000 | 0x7ff631efa000 | 0x7ff631efbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631efc000 | 0x7ff631efc000 | 0x7ff631efdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631efe000 | 0x7ff631efe000 | 0x7ff631efffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631f04000 | 0x7ff631f04000 | 0x7ff631f05fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631f08000 | 0x7ff631f08000 | 0x7ff631f09fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631f0c000 | 0x7ff631f0c000 | 0x7ff631f0dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631f0e000 | 0x7ff631f0e000 | 0x7ff631f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631f10000 | 0x7ff631f10000 | 0x7ff631f11fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631f12000 | 0x7ff631f12000 | 0x7ff631f13fff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 91 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create Remote Thread | #1: c:\users\ciihmnxmn6ps\desktop\fkgcs.exe | 0x61c | address = 0x7ff6ad002870 |
|
1 |
Process #12: net1.exe
67
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "audioendpointbuilder" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:16, Reason: Child Process |
| Unmonitor | End Time: 00:01:27, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd9c |
| Parent PID | 0xe2c (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DAC
0x
EF0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000007aa4ad0000 | 0x7aa4ad0000 | 0x7aa4aeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007aa4ad0000 | 0x7aa4ad0000 | 0x7aa4adffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000007aa4ae0000 | 0x7aa4ae0000 | 0x7aa4ae6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007aa4af0000 | 0x7aa4af0000 | 0x7aa4b03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007aa4b10000 | 0x7aa4b10000 | 0x7aa4b8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007aa4b90000 | 0x7aa4b90000 | 0x7aa4b93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000007aa4ba0000 | 0x7aa4ba0000 | 0x7aa4ba0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007aa4bb0000 | 0x7aa4bb0000 | 0x7aa4bb1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000007aa4bc0000 | 0x7aa4bc0000 | 0x7aa4bc6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x7aa4bd0000 | 0x7aa4bd2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000007aa4c00000 | 0x7aa4c00000 | 0x7aa4cfffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x7aa4d00000 | 0x7aa4dbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007aa4dc0000 | 0x7aa4dc0000 | 0x7aa4e3ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x7aa4e40000 | 0x7aa4e71fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007aa4ea0000 | 0x7aa4ea0000 | 0x7aa4eaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff700000 | 0x7df5ff700000 | 0x7ff5ff6fffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69bca0000 | 0x7ff69bca0000 | 0x7ff69bd9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69bda0000 | 0x7ff69bda0000 | 0x7ff69bdc2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69bdc5000 | 0x7ff69bdc5000 | 0x7ff69bdc5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bdcc000 | 0x7ff69bdcc000 | 0x7ff69bdcdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bdce000 | 0x7ff69bdce000 | 0x7ff69bdcffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc3e660000 | 0x7ffc3e673fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (32)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
15 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 169 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
7 | |
| Write | STD_OUTPUT_HANDLE | size = 16 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 53 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 54 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 70 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x7aa4bd0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (30)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = AUDIOENDPOINTBUILDER |
|
1 | |
| Control | service_name = Audiosrv |
|
1 | |
| Control | service_name = Audiosrv |
|
1 | |
| Control | service_name = Audiosrv |
|
1 | |
| Control | service_name = AUDIOENDPOINTBUILDER |
|
1 | |
| Control | service_name = AUDIOENDPOINTBUILDER |
|
1 | |
| Get Display Name | database_name = SERVICES_ACTIVE_DATABASE |
|
3 | |
| Get Display Name | database_name = SERVICES_ACTIVE_DATABASE |
|
2 | |
| Get Info | service_name = AUDIOENDPOINTBUILDER |
|
1 | |
| Get Info | service_name = AUDIOENDPOINTBUILDER |
|
1 | |
| Get Info | service_name = Audiosrv |
|
1 | |
| Get Info | service_name = AUDIOENDPOINTBUILDER |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 2500 milliseconds (2.500 seconds) |
|
2 |
Process #13: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:16, Reason: Child Process |
| Unmonitor | End Time: 00:01:19, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf08 |
| Parent PID | 0xdb4 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F14
0x
55C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000efe2760000 | 0xefe2760000 | 0xefe277ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000efe2760000 | 0xefe2760000 | 0xefe276ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000efe2770000 | 0xefe2770000 | 0xefe2776fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000efe2780000 | 0xefe2780000 | 0xefe2793fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000efe27a0000 | 0xefe27a0000 | 0xefe281ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000efe2820000 | 0xefe2820000 | 0xefe2823fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000efe2830000 | 0xefe2830000 | 0xefe2830fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000efe2840000 | 0xefe2840000 | 0xefe2841fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xefe2850000 | 0xefe290dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000efe2910000 | 0xefe2910000 | 0xefe298ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000efe2990000 | 0xefe2990000 | 0xefe2996fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xefe29a0000 | 0xefe29a2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000efe29b0000 | 0xefe29b0000 | 0xefe2aaffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0xefe2ab0000 | 0xefe2ae1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000efe2be0000 | 0xefe2be0000 | 0xefe2beffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff6a0000 | 0x7df5ff6a0000 | 0x7ff5ff69ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69c5d0000 | 0x7ff69c5d0000 | 0x7ff69c6cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69c6d0000 | 0x7ff69c6d0000 | 0x7ff69c6f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69c6fb000 | 0x7ff69c6fb000 | 0x7ff69c6fcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c6fd000 | 0x7ff69c6fd000 | 0x7ff69c6fefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c6ff000 | 0x7ff69c6ff000 | 0x7ff69c6fffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc3e660000 | 0x7ffc3e673fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xefe29a0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #14: werfault.exe
0
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\system32\werfault.exe |
| Command Line | C:\Windows\system32\WerFault.exe -u -p 1796 -s 1324 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:16, Reason: Child Process |
| Unmonitor | End Time: 00:01:27, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xedc |
| Parent PID | 0x704 (c:\windows\system32\sihost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
EE8
0x
6B4
0x
1A4
0x
C0C
0x
784
0x
F44
0x
2CC
0x
F58
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000001d8b520000 | 0x1d8b520000 | 0x1d8b53ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001d8b520000 | 0x1d8b520000 | 0x1d8b52ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000001d8b530000 | 0x1d8b530000 | 0x1d8b536fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001d8b540000 | 0x1d8b540000 | 0x1d8b553fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001d8b560000 | 0x1d8b560000 | 0x1d8b5dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001d8b5e0000 | 0x1d8b5e0000 | 0x1d8b5e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001d8b5f0000 | 0x1d8b5f0000 | 0x1d8b5f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001d8b600000 | 0x1d8b600000 | 0x1d8b601fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001d8b610000 | 0x1d8b610000 | 0x1d8b61ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001d8b620000 | 0x1d8b620000 | 0x1d8b626fff | Private Memory | rw |
|
|
|
- |
| werfault.exe.mui | 0x1d8b630000 | 0x1d8b633fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001d8b640000 | 0x1d8b640000 | 0x1d8b640fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001d8b650000 | 0x1d8b650000 | 0x1d8b74ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x1d8b750000 | 0x1d8b80dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001d8b810000 | 0x1d8b810000 | 0x1d8b88ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001d8b890000 | 0x1d8b890000 | 0x1d8b890fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001d8b8a0000 | 0x1d8b8a0000 | 0x1d8b8a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000001d8b8b0000 | 0x1d8b8b0000 | 0x1d8b8b0fff | Private Memory | rw |
|
|
|
- |
| ntdll.dll.mui | 0x1d8b8c0000 | 0x1d8b925fff | Memory Mapped File | r |
|
|
|
- |
| faultrep.dll.mui | 0x1d8b930000 | 0x1d8b931fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001d8b940000 | 0x1d8b940000 | 0x1d8b940fff | Private Memory | rw |
|
|
|
- |
| wer.dll.mui | 0x1d8b950000 | 0x1d8b952fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001d8b960000 | 0x1d8b960000 | 0x1d8b966fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001d8b970000 | 0x1d8b970000 | 0x1d8b971fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001d8b980000 | 0x1d8b980000 | 0x1d8b981fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001d8b990000 | 0x1d8b990000 | 0x1d8b990fff | Pagefile Backed Memory | r |
|
|
|
- |
| werui.dll.mui | 0x1d8b990000 | 0x1d8b994fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000001d8b9a0000 | 0x1d8b9a0000 | 0x1d8b9a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001d8b9b0000 | 0x1d8b9b0000 | 0x1d8b9b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001d8b9c0000 | 0x1d8b9c0000 | 0x1d8b9c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001d8b9d0000 | 0x1d8b9d0000 | 0x1d8b9dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001d8b9e0000 | 0x1d8b9e0000 | 0x1d8bb67fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001d8bb70000 | 0x1d8bb70000 | 0x1d8bcf0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001d8bd00000 | 0x1d8bd00000 | 0x1d8d0fffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001d8d100000 | 0x1d8d100000 | 0x1d8d1fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001d8d200000 | 0x1d8d200000 | 0x1d8d203fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001d8d210000 | 0x1d8d210000 | 0x1d8d216fff | Private Memory | rw |
|
|
|
- |
| duser.dll.mui | 0x1d8d220000 | 0x1d8d220fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001d8d270000 | 0x1d8d270000 | 0x1d8d27ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x1d8d280000 | 0x1d8d5b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001d8d5c0000 | 0x1d8d5c0000 | 0x1d8d6bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001d8d6c0000 | 0x1d8d6c0000 | 0x1d8d7bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001d8d7c0000 | 0x1d8d7c0000 | 0x1d8d9bffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x1d8d9c0000 | 0x1d8da9efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001d8daa0000 | 0x1d8daa0000 | 0x1d8db9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001d8dba0000 | 0x1d8dba0000 | 0x1d8dc1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001d8dc20000 | 0x1d8dc20000 | 0x1d8dc9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001d8dca0000 | 0x1d8dca0000 | 0x1d8dd1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001d8dd20000 | 0x1d8dd20000 | 0x1d8dd9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001d8dda0000 | 0x1d8dda0000 | 0x1d8de1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001d8de20000 | 0x1d8de20000 | 0x1d8ded7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007df5ff420000 | 0x7df5ff420000 | 0x7ff5ff41ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6717be000 | 0x7ff6717be000 | 0x7ff6717bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6717c0000 | 0x7ff6717c0000 | 0x7ff6718bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6718c0000 | 0x7ff6718c0000 | 0x7ff6718e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6718e3000 | 0x7ff6718e3000 | 0x7ff6718e4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6718e5000 | 0x7ff6718e5000 | 0x7ff6718e6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6718e7000 | 0x7ff6718e7000 | 0x7ff6718e7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6718e8000 | 0x7ff6718e8000 | 0x7ff6718e9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6718ea000 | 0x7ff6718ea000 | 0x7ff6718ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6718ec000 | 0x7ff6718ec000 | 0x7ff6718edfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6718ee000 | 0x7ff6718ee000 | 0x7ff6718effff | Private Memory | rw |
|
|
|
- |
| werfault.exe | 0x7ff672280000 | 0x7ff6722cafff | Memory Mapped File | rwx |
|
|
|
- |
| dbgeng.dll | 0x7ffc3db90000 | 0x7ffc3e06bfff | Memory Mapped File | rwx |
|
|
|
- |
| dbgcore.dll | 0x7ffc3e070000 | 0x7ffc3e094fff | Memory Mapped File | rwx |
|
|
|
- |
| faultrep.dll | 0x7ffc3e3c0000 | 0x7ffc3e41dfff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x7ffc3e420000 | 0x7ffc3e5a9fff | Memory Mapped File | rwx |
|
|
|
- |
| wer.dll | 0x7ffc3f2c0000 | 0x7ffc3f35dfff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ffc3fb30000 | 0x7ffc3fcdffff | Memory Mapped File | rwx |
|
|
|
- |
| msls31.dll | 0x7ffc40ff0000 | 0x7ffc41027fff | Memory Mapped File | rwx |
|
|
|
- |
| riched20.dll | 0x7ffc41030000 | 0x7ffc410cafff | Memory Mapped File | rwx |
|
|
|
- |
| atlthunk.dll | 0x7ffc41be0000 | 0x7ffc41beffff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ffc4b090000 | 0x7ffc4b09dfff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ffc4b6e0000 | 0x7ffc4b6ebfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffc4b890000 | 0x7ffc4b899fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ffc4c220000 | 0x7ffc4c25efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| duser.dll | 0x7ffc4f3a0000 | 0x7ffc4f438fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| dbgmodel.dll | 0x7ffc50e20000 | 0x7ffc50eb0fff | Memory Mapped File | rwx |
|
|
|
- |
| werui.dll | 0x7ffc50e40000 | 0x7ffc50eb3fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7ffc513f0000 | 0x7ffc51407fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ffc525f0000 | 0x7ffc52611fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffc53920000 | 0x7ffc53951fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #15: net1.exe
33
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "spooler" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:16, Reason: Child Process |
| Unmonitor | End Time: 00:01:21, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xefc |
| Parent PID | 0xe4c (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EE0
0x
ED8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000004f72c10000 | 0x4f72c10000 | 0x4f72c2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004f72c10000 | 0x4f72c10000 | 0x4f72c1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000004f72c20000 | 0x4f72c20000 | 0x4f72c26fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004f72c30000 | 0x4f72c30000 | 0x4f72c43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004f72c50000 | 0x4f72c50000 | 0x4f72ccffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004f72cd0000 | 0x4f72cd0000 | 0x4f72cd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004f72ce0000 | 0x4f72ce0000 | 0x4f72ce0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004f72cf0000 | 0x4f72cf0000 | 0x4f72cf1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000004f72d00000 | 0x4f72d00000 | 0x4f72d06fff | Private Memory | rw |
|
|
|
- |
| private_0x0000004f72d10000 | 0x4f72d10000 | 0x4f72d1ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x4f72d20000 | 0x4f72d22fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000004f72d40000 | 0x4f72d40000 | 0x4f72e3ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x4f72e40000 | 0x4f72efdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004f72f00000 | 0x4f72f00000 | 0x4f72f7ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x4f72f80000 | 0x4f72fb1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff0a0000 | 0x7df5ff0a0000 | 0x7ff5ff09ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69bca0000 | 0x7ff69bca0000 | 0x7ff69bd9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69bda0000 | 0x7ff69bda0000 | 0x7ff69bdc2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69bdcb000 | 0x7ff69bdcb000 | 0x7ff69bdccfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bdcd000 | 0x7ff69bdcd000 | 0x7ff69bdcefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bdcf000 | 0x7ff69bdcf000 | 0x7ff69bdcffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc3e660000 | 0x7ffc3e673fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (12)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
5 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 53 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x4f72d20000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SPOOLER |
|
1 | |
| Control | service_name = SPOOLER |
|
1 | |
| Control | service_name = SPOOLER |
|
1 | |
| Get Display Name | database_name = SERVICES_ACTIVE_DATABASE |
|
2 | |
| Get Info | service_name = SPOOLER |
|
1 | |
| Get Info | service_name = SPOOLER |
|
1 | |
| Get Info | service_name = SPOOLER |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 2500 milliseconds (2.500 seconds) |
|
1 |
Process #16: sihost.exe
0
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\system32\sihost.exe |
| Command Line | sihost.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:18, Reason: Child Process |
| Unmonitor | End Time: 00:01:26, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc58 |
| Parent PID | 0x704 (c:\windows\system32\sihost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs | - |
Process #17: searchui.exe
0
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe |
| Command Line | "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca |
| Initial Working Directory | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:01:19, Reason: Injection |
| Unmonitor | End Time: 00:04:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:22 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9e4 |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
DF4
0x
C7C
0x
D04
0x
B28
0x
B04
0x
B00
0x
AFC
0x
AF0
0x
AC0
0x
ABC
0x
AB8
0x
AAC
0x
AA8
0x
AA4
0x
AA0
0x
A9C
0x
A98
0x
A88
0x
A28
0x
A20
0x
A18
0x
A08
0x
A04
0x
9FC
0x
9E8
0x
B38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000ae80000000 | 0xae80000000 | 0xae80180fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ae80190000 | 0xae80190000 | 0xae8158ffff | Pagefile Backed Memory | r |
|
|
|
- |
| kernelbase.dll.mui | 0xae81590000 | 0xae8166efff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ae81670000 | 0xae81670000 | 0xae8176ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xae81770000 | 0xae81aa6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ae81bb0000 | 0xae81bb0000 | 0xae81caffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae81db0000 | 0xae81db0000 | 0xae81eaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae81eb0000 | 0xae81eb0000 | 0xae81faffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae820b0000 | 0xae820b0000 | 0xae821affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ae821b0000 | 0xae821b0000 | 0xae821b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| counters.dat | 0xae821c0000 | 0xae821c0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ae821d0000 | 0xae821d0000 | 0xae821d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| resources.pri | 0xae821e0000 | 0xae82200fff | Memory Mapped File | r |
|
|
|
- |
| 2495906576.pri | 0xae82210000 | 0xae82223fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ae82230000 | 0xae82230000 | 0xae82230fff | Pagefile Backed Memory | rw |
|
|
|
- |
| app.xbf | 0xae82240000 | 0xae82240fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ae82250000 | 0xae82250000 | 0xae82250fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ae82260000 | 0xae82260000 | 0xae82260fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae82270000 | 0xae82270000 | 0xae82270fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ae82280000 | 0xae82280000 | 0xae82280fff | Pagefile Backed Memory | rw |
|
|
|
- |
| dictionary.xbf | 0xae82290000 | 0xae82293fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ae822a0000 | 0xae822a0000 | 0xae822a6fff | Private Memory | rw |
|
|
|
- |
| resources.en-us.pri | 0xae822b0000 | 0xae822c5fff | Memory Mapped File | r |
|
|
|
- |
| reactivecat1themeresources.xbf | 0xae822d0000 | 0xae822d4fff | Memory Mapped File | r |
|
|
|
- |
| speechtextinputthemeresources.xbf | 0xae822e0000 | 0xae822e1fff | Memory Mapped File | r |
|
|
|
- |
| cortanawindow.xbf | 0xae822f0000 | 0xae822f0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ae82300000 | 0xae82300000 | 0xae823fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae82500000 | 0xae82500000 | 0xae825fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae82600000 | 0xae82600000 | 0xae82dfffff | Private Memory | - |
|
|
|
- |
| private_0x000000ae82e00000 | 0xae82e00000 | 0xae82efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae82f00000 | 0xae82f00000 | 0xae82ffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae83000000 | 0xae83000000 | 0xae830fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae83200000 | 0xae83200000 | 0xae832fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ae83300000 | 0xae83300000 | 0xae83301fff | Pagefile Backed Memory | rw |
|
|
|
- |
| shell32.dll.mui | 0xae83400000 | 0xae83460fff | Memory Mapped File | r |
|
|
|
- |
| chrome.xbf | 0xae83470000 | 0xae83477fff | Memory Mapped File | r |
|
|
|
- |
| msxml6r.dll | 0xae834a0000 | 0xae834a0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ae834b0000 | 0xae834b0000 | 0xae834b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| homeburgermenucontrol.xbf | 0xae834c0000 | 0xae834c0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ae834d0000 | 0xae834d0000 | 0xae834d6fff | Private Memory | rw |
|
|
|
- |
| greetingscontrol.xbf | 0xae834e0000 | 0xae834e1fff | Memory Mapped File | r |
|
|
|
- |
| hostedwebviewcontrol.xbf | 0xae834f0000 | 0xae834f0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ae83500000 | 0xae83500000 | 0xae835fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ae83600000 | 0xae83600000 | 0xae836b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ae836c0000 | 0xae836c0000 | 0xae836c6fff | Private Memory | rw |
|
|
|
- |
| speechtextinputcontrol.xbf | 0xae836d0000 | 0xae836d1fff | Memory Mapped File | r |
|
|
|
- |
| searchboxcontrol.xbf | 0xae836e0000 | 0xae836e0fff | Memory Mapped File | r |
|
|
|
- |
| windows.ui.xaml.dll.mui | 0xae836f0000 | 0xae836f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ae83700000 | 0xae83700000 | 0xae837fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae83800000 | 0xae83800000 | 0xae838fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae83900000 | 0xae83900000 | 0xae839fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae83a00000 | 0xae83a00000 | 0xae83afffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-system.dat | 0xae83b00000 | 0xae83b75fff | Memory Mapped File | r |
|
|
|
- |
| ~fontcache-fontface.dat | 0xae83b80000 | 0xae84b7ffff | Memory Mapped File | r |
|
|
|
- |
| segoeui.ttf | 0xae84b80000 | 0xae84c5efff | Memory Mapped File | r |
|
|
|
- |
| ~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat | 0xae84c60000 | 0xae8545ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ae85460000 | 0xae85460000 | 0xae8555ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85660000 | 0xae85660000 | 0xae85660fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85670000 | 0xae85670000 | 0xae85670fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ae85680000 | 0xae85680000 | 0xae85683fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ae85690000 | 0xae85690000 | 0xae856affff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae856b0000 | 0xae856b0000 | 0xae856fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85700000 | 0xae85700000 | 0xae857fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85800000 | 0xae85800000 | 0xae858fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85900000 | 0xae85900000 | 0xae85900fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85910000 | 0xae85910000 | 0xae85910fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ae85920000 | 0xae85920000 | 0xae85920fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ae85930000 | 0xae85930000 | 0xae85936fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ae85940000 | 0xae85940000 | 0xae85940fff | Pagefile Backed Memory | rw |
|
|
|
- |
| edgehtml.dll.mui | 0xae85960000 | 0xae859bffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ae859c0000 | 0xae859c0000 | 0xae859cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ae859d0000 | 0xae859d0000 | 0xae859dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ae859e0000 | 0xae859e0000 | 0xae859fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85a00000 | 0xae85a00000 | 0xae85afffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85b00000 | 0xae85b00000 | 0xae85bfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85c00000 | 0xae85c00000 | 0xae85cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85d00000 | 0xae85d00000 | 0xae85dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85e00000 | 0xae85e00000 | 0xae85efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85f00000 | 0xae85f00000 | 0xae85ffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86000000 | 0xae86000000 | 0xae860fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86100000 | 0xae86100000 | 0xae8611ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86120000 | 0xae86120000 | 0xae8616ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86170000 | 0xae86170000 | 0xae8626ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86270000 | 0xae86270000 | 0xae8628ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86290000 | 0xae86290000 | 0xae8638ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86390000 | 0xae86390000 | 0xae863affff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae863b0000 | 0xae863b0000 | 0xae863cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae863d0000 | 0xae863d0000 | 0xae863effff | Private Memory | rw |
|
|
|
- |
| cortana.internal.search.winmd | 0xae863f0000 | 0xae86400fff | Memory Mapped File | rwx |
|
|
|
- |
| cortana.search.winmd | 0xae86410000 | 0xae86417fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000ae86420000 | 0xae86420000 | 0xae8643ffff | Private Memory | rw |
|
|
|
- |
| windows.foundation.winmd | 0xae86440000 | 0xae8644efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.security.winmd | 0xae86450000 | 0xae8646dfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000ae86470000 | 0xae86470000 | 0xae8656ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86570000 | 0xae86570000 | 0xae8658ffff | Private Memory | rw |
|
|
|
- |
| windows.storage.winmd | 0xae86590000 | 0xae865aafff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000ae865b0000 | 0xae865b0000 | 0xae865cffff | Private Memory | rw |
|
|
|
- |
| chakra.dll.mui | 0xae865d0000 | 0xae865d9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ae865e0000 | 0xae865e0000 | 0xae865fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86620000 | 0xae86620000 | 0xae8663ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86680000 | 0xae86680000 | 0xae8669ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae866a0000 | 0xae866a0000 | 0xae866bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae866c0000 | 0xae866c0000 | 0xae867bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae867e0000 | 0xae867e0000 | 0xae867fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86800000 | 0xae86800000 | 0xae8681ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86820000 | 0xae86820000 | 0xae8683ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86840000 | 0xae86840000 | 0xae8685ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86860000 | 0xae86860000 | 0xae8687ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86880000 | 0xae86880000 | 0xae8689ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae868c0000 | 0xae868c0000 | 0xae868dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae868e0000 | 0xae868e0000 | 0xae868fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86900000 | 0xae86900000 | 0xae869fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86a00000 | 0xae86a00000 | 0xae86afffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86b00000 | 0xae86b00000 | 0xae86bfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86c40000 | 0xae86c40000 | 0xae86c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86c60000 | 0xae86c60000 | 0xae86c7ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000000ae86c80000 | 0xae86c80000 | 0xae86c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86ca0000 | 0xae86ca0000 | 0xae86cbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86cc0000 | 0xae86cc0000 | 0xae86cdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86ce0000 | 0xae86ce0000 | 0xae86cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86d20000 | 0xae86d20000 | 0xae86d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86d40000 | 0xae86d40000 | 0xae86d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86d60000 | 0xae86d60000 | 0xae86d7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86d80000 | 0xae86d80000 | 0xae86d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86da0000 | 0xae86da0000 | 0xae86dbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86dc0000 | 0xae86dc0000 | 0xae86ddffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86de0000 | 0xae86de0000 | 0xae86dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86e00000 | 0xae86e00000 | 0xae86e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86e20000 | 0xae86e20000 | 0xae86e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86e40000 | 0xae86e40000 | 0xae86f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86f40000 | 0xae86f40000 | 0xae86f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86f60000 | 0xae86f60000 | 0xae86f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86f80000 | 0xae86f80000 | 0xae86f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86fa0000 | 0xae86fa0000 | 0xae86fbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86fc0000 | 0xae86fc0000 | 0xae86fdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86fe0000 | 0xae86fe0000 | 0xae86ffffff | Private Memory | rwx |
|
|
|
- |
| private_0x000000ae87000000 | 0xae87000000 | 0xae870fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae87100000 | 0xae87100000 | 0xae871fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae87200000 | 0xae87200000 | 0xae872fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae87300000 | 0xae87300000 | 0xae8731ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae873c0000 | 0xae873c0000 | 0xae874bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae874c0000 | 0xae874c0000 | 0xae874dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae874e0000 | 0xae874e0000 | 0xae874fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae87600000 | 0xae87600000 | 0xae8761ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae87620000 | 0xae87620000 | 0xae8763ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae87640000 | 0xae87640000 | 0xae8765ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae87660000 | 0xae87660000 | 0xae8767ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae876c0000 | 0xae876c0000 | 0xae876dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae876e0000 | 0xae876e0000 | 0xae876fffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 225 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create Remote Thread | #1: c:\users\ciihmnxmn6ps\desktop\fkgcs.exe | 0x61c | address = 0x7ff6ad002870 |
|
1 |
Process #18: backgroundtaskhost.exe
86
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\system32\backgroundtaskhost.exe |
| Command Line | "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca |
| Initial Working Directory | C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:01:21, Reason: Injection |
| Unmonitor | End Time: 00:01:40, Reason: Crashed |
| Monitor Duration | 00:00:19 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x564 |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A6C
0x
C24
0x
FF0
0x
CE4
0x
CD8
0x
CD4
0x
CC0
0x
CBC
0x
BF8
0x
C1C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000ade43e0000 | 0xade43e0000 | 0xade43effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ade43f0000 | 0xade43f0000 | 0xade43f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ade4400000 | 0xade4400000 | 0xade4413fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ade4420000 | 0xade4420000 | 0xade449ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ade44a0000 | 0xade44a0000 | 0xade44a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ade44b0000 | 0xade44b0000 | 0xade44b1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ade44c0000 | 0xade44c0000 | 0xade44c0fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xade44d0000 | 0xade458dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ade4590000 | 0xade4590000 | 0xade460ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ade4610000 | 0xade4610000 | 0xade4639fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ade4640000 | 0xade4640000 | 0xade4640fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ade4650000 | 0xade4650000 | 0xade4650fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ade4660000 | 0xade4660000 | 0xade4666fff | Private Memory | rw |
|
|
|
- |
| windows.storage.dll.mui | 0xade4670000 | 0xade4677fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xade4680000 | 0xade4683fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xade4690000 | 0xade4693fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ade46a0000 | 0xade46a0000 | 0xade46a6fff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db | 0xade46b0000 | 0xade46f2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ade4700000 | 0xade4700000 | 0xade47fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ade4800000 | 0xade4800000 | 0xade48fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ade4900000 | 0xade4900000 | 0xade497ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ade4980000 | 0xade4980000 | 0xade4b07fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ade4b10000 | 0xade4b10000 | 0xade4c90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ade4ca0000 | 0xade4ca0000 | 0xade609ffff | Pagefile Backed Memory | r |
|
|
|
- |
| kernelbase.dll.mui | 0xade60a0000 | 0xade617efff | Memory Mapped File | r |
|
|
|
- |
| sortdefault.nls | 0xade6180000 | 0xade64b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ade64c0000 | 0xade64c0000 | 0xade653ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ade6540000 | 0xade6540000 | 0xade65bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ade65c0000 | 0xade65c0000 | 0xade66bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ade66c0000 | 0xade66c0000 | 0xade673ffff | Private Memory | rw |
|
|
|
- |
| shell32.dll.mui | 0xade6740000 | 0xade67a0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ade67b0000 | 0xade67b0000 | 0xade682ffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0xade6830000 | 0xade68bafff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ade68c0000 | 0xade68c0000 | 0xade693ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ade6940000 | 0xade6940000 | 0xade69bffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0xade69c0000 | 0xade69c3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ade69d0000 | 0xade69d0000 | 0xade6a4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff7a0000 | 0x7df5ff7a0000 | 0x7ff5ff79ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6ad000000 | 0x7ff6ad000000 | 0x7ff6ad395fff | Private Memory | rwx |
|
|
|
- |
| private_0x00007ff7e0fd8000 | 0x7ff7e0fd8000 | 0x7ff7e0fd9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7e0fda000 | 0x7ff7e0fda000 | 0x7ff7e0fdbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7e0fdc000 | 0x7ff7e0fdc000 | 0x7ff7e0fddfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7e0fde000 | 0x7ff7e0fde000 | 0x7ff7e0fdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7e0fe0000 | 0x7ff7e0fe0000 | 0x7ff7e10dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7e10e0000 | 0x7ff7e10e0000 | 0x7ff7e1102fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7e1103000 | 0x7ff7e1103000 | 0x7ff7e1104fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7e1105000 | 0x7ff7e1105000 | 0x7ff7e1106fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7e1107000 | 0x7ff7e1107000 | 0x7ff7e1108fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7e1109000 | 0x7ff7e1109000 | 0x7ff7e110afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7e110b000 | 0x7ff7e110b000 | 0x7ff7e110cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7e110d000 | 0x7ff7e110d000 | 0x7ff7e110dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7e110e000 | 0x7ff7e110e000 | 0x7ff7e110ffff | Private Memory | rw |
|
|
|
- |
| backgroundtaskhost.exe | 0x7ff7e11b0000 | 0x7ff7e11b6fff | Memory Mapped File | rwx |
|
|
|
- |
| contentmanagementsdk.dll | 0x7ffc3f900000 | 0x7ffc3fb02fff | Memory Mapped File | rwx |
|
|
|
- |
| contentdeliverymanager.background.dll | 0x7ffc40b90000 | 0x7ffc40e03fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.applicationmodel.background.timebroker.dll | 0x7ffc424a0000 | 0x7ffc424abfff | Memory Mapped File | rwx |
|
|
|
- |
| biwinrt.dll | 0x7ffc44140000 | 0x7ffc44172fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.applicationmodel.dll | 0x7ffc44ea0000 | 0x7ffc44ed3fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.applicationdata.dll | 0x7ffc45050000 | 0x7ffc450a2fff | Memory Mapped File | rwx |
|
|
|
- |
| veeventdispatcher.dll | 0x7ffc46bb0000 | 0x7ffc46bf8fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffc48ff0000 | 0x7ffc49459fff | Memory Mapped File | rwx |
|
|
|
- |
| threadpoolwinrt.dll | 0x7ffc4ce70000 | 0x7ffc4ce84fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.globalization.dll | 0x7ffc4d520000 | 0x7ffc4d6a5fff | Memory Mapped File | rwx |
|
|
|
- |
| mrmcorer.dll | 0x7ffc4f1f0000 | 0x7ffc4f2fefff | Memory Mapped File | rwx |
|
|
|
- |
| wincorlib.dll | 0x7ffc4f300000 | 0x7ffc4f369fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp110_win.dll | 0x7ffc4f8f0000 | 0x7ffc4f981fff | Memory Mapped File | rwx |
|
|
|
- |
| policymanager.dll | 0x7ffc4f990000 | 0x7ffc4f9c8fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ffc50c00000 | 0x7ffc50d30fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| bcp47langs.dll | 0x7ffc52660000 | 0x7ffc526c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sppc.dll | 0x7ffc52bd0000 | 0x7ffc52bf4fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7ffc52c00000 | 0x7ffc52c25fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ffc52f40000 | 0x7ffc5302dfff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc53810000 | 0x7ffc5382bfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\fkgcs.exe | 0x61c | address = 0x7ff6ad000000, size = 3760128 |
|
1 | |
| Create Remote Thread | #1: c:\users\ciihmnxmn6ps\desktop\fkgcs.exe | 0x61c | address = 0x7ff6ad002870 |
|
1 |
Host Behavior
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\users\Public\sys | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN |
|
1 | |
| Create | C:\users\Public\sys | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN |
|
1 |
Module (78)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffc55800000 |
|
1 | |
| Load | mpr.dll | base_address = 0x7ffc53810000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x7ffc57aa0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7ffc57750000 |
|
1 | |
| Load | Shell32.dll | base_address = 0x7ffc559d0000 |
|
1 | |
| Load | Iphlpapi.dll | base_address = 0x7ffc51c50000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7ffc55822080 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7ffc55816060 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualFree, address_out = 0x7ffc5581bc10 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptExportKey, address_out = 0x7ffc57ab7b50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileW, address_out = 0x7ffc558257a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDriveTypeW, address_out = 0x7ffc558258f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCommandLineW, address_out = 0x7ffc55820150 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetStartupInfoW, address_out = 0x7ffc5581ed80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileW, address_out = 0x7ffc55825880 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualAlloc, address_out = 0x7ffc5581baf0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7ffc57acec40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ExitProcess, address_out = 0x7ffc5581ef50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffc558436a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x7ffc5581d5b0 |
|
1 | |
| Get Address | c:\windows\system32\iphlpapi.dll | function = GetIpNetTable, address_out = 0x7ffc51c6f0b0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x7ffc5581aa30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffc55843690 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDefaultLangID, address_out = 0x7ffc55822ba0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameW, address_out = 0x7ffc57abda40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x7ffc55825a90 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegQueryValueExA, address_out = 0x7ffc57ab7dd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7ffc55825510 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegSetValueExW, address_out = 0x7ffc57ab7850 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7ffc57ab72e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7ffc5583e430 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesW, address_out = 0x7ffc55825b00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WinExec, address_out = 0x7ffc55841e60 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDeriveKey, address_out = 0x7ffc57ad07a0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGenKey, address_out = 0x7ffc57abcab0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Sleep, address_out = 0x7ffc55818f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcess, address_out = 0x7ffc55816580 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteW, address_out = 0x7ffc55b1abc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x7ffc55825950 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GlobalAlloc, address_out = 0x7ffc5581b810 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x7ffc558257c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForMultipleObjects, address_out = 0x7ffc558256e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameA, address_out = 0x7ffc55820c70 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteA, address_out = 0x7ffc55bd7de0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x7ffc5581e6d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameW, address_out = 0x7ffc5581eca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7ffc55825760 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSizeEx, address_out = 0x7ffc55825960 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x7ffc55825b80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalDrives, address_out = 0x7ffc558166d0 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetEnumResourceW, address_out = 0x7ffc538127d0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7ffc57ab6cb0 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetCloseEnum, address_out = 0x7ffc53812e20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x7ffc55822940 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x7ffc55825af0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExA, address_out = 0x7ffc57ab7d70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7ffc55825b20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount, address_out = 0x7ffc558160a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesW, address_out = 0x7ffc55825930 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileW, address_out = 0x7ffc55825840 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextW, address_out = 0x7ffc57ab89e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MoveFileExW, address_out = 0x7ffc55823010 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetOpenEnumW, address_out = 0x7ffc53812f20 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoInitialize, address_out = 0x7ffc57763870 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDecrypt, address_out = 0x7ffc57ab9140 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptImportKey, address_out = 0x7ffc57ab7b40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointerEx, address_out = 0x7ffc55825b30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileW, address_out = 0x7ffc55825d70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibrary, address_out = 0x7ffc5581eb90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessW, address_out = 0x7ffc5581dee0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryW, address_out = 0x7ffc55825740 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThread, address_out = 0x7ffc5581bc20 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDestroyKey, address_out = 0x7ffc57ab86b0 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x7ffc57257000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileW, address_out = 0x7ffc55825770 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesA, address_out = 0x7ffc55825900 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptEncrypt, address_out = 0x7ffc57abd7e0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueW, address_out = 0x7ffc57ab90b0 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeBackupPrivilege, luid = 17 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 |
Process #19: net.exe
0
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:01:27, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfdc |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FCC
0x
FE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000b220cf0000 | 0xb220cf0000 | 0xb220d0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b220cf0000 | 0xb220cf0000 | 0xb220cfffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b220d10000 | 0xb220d10000 | 0xb220d23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b220d30000 | 0xb220d30000 | 0xb220daffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b220db0000 | 0xb220db0000 | 0xb220db3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b220dc0000 | 0xb220dc0000 | 0xb220dc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b220dd0000 | 0xb220dd0000 | 0xb220dd1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xb220de0000 | 0xb220e9dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b220f80000 | 0xb220f80000 | 0xb22107ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff570000 | 0x7df5ff570000 | 0x7ff5ff56ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6550000 | 0x7ff6d6550000 | 0x7ff6d664ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6650000 | 0x7ff6d6650000 | 0x7ff6d6672fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6676000 | 0x7ff6d6676000 | 0x7ff6d6676fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d667e000 | 0x7ff6d667e000 | 0x7ff6d667ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #21: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:26, Reason: Child Process |
| Unmonitor | End Time: 00:01:26, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xff4 |
| Parent PID | 0xfdc (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FF8
0x
E6C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000008a04400000 | 0x8a04400000 | 0x8a0441ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008a04400000 | 0x8a04400000 | 0x8a0440ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000008a04410000 | 0x8a04410000 | 0x8a04416fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008a04420000 | 0x8a04420000 | 0x8a04433fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008a04440000 | 0x8a04440000 | 0x8a044bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008a044c0000 | 0x8a044c0000 | 0x8a044c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008a044d0000 | 0x8a044d0000 | 0x8a044d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008a044e0000 | 0x8a044e0000 | 0x8a044e1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008a044f0000 | 0x8a044f0000 | 0x8a044f6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x8a04500000 | 0x8a04502fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000008a04540000 | 0x8a04540000 | 0x8a0463ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x8a04640000 | 0x8a046fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008a04700000 | 0x8a04700000 | 0x8a0477ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x8a04780000 | 0x8a047b1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008a04880000 | 0x8a04880000 | 0x8a0488ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff150000 | 0x7df5ff150000 | 0x7ff5ff14ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69b660000 | 0x7ff69b660000 | 0x7ff69b75ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69b760000 | 0x7ff69b760000 | 0x7ff69b782fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69b78b000 | 0x7ff69b78b000 | 0x7ff69b78cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69b78d000 | 0x7ff69b78d000 | 0x7ff69b78efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69b78f000 | 0x7ff69b78f000 | 0x7ff69b78ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc3e660000 | 0x7ffc3e673fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x8a04500000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #22: werfault.exe
0
0
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\windows\system32\werfault.exe |
| Command Line | C:\Windows\system32\WerFault.exe -u -p 1380 -s 976 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:27, Reason: Child Process |
| Unmonitor | End Time: 00:01:40, Reason: Self Terminated |
| Monitor Duration | 00:00:13 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd30 |
| Parent PID | 0x564 (c:\windows\system32\backgroundtaskhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C6C
0x
C4C
0x
C60
0x
C38
0x
C50
0x
F54
0x
F5C
0x
A70
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000012cdfe0000 | 0x12cdfe0000 | 0x12cdffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000012cdfe0000 | 0x12cdfe0000 | 0x12cdfeffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000012cdff0000 | 0x12cdff0000 | 0x12cdff6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000012ce000000 | 0x12ce000000 | 0x12ce013fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000012ce020000 | 0x12ce020000 | 0x12ce09ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000012ce0a0000 | 0x12ce0a0000 | 0x12ce0a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000012ce0b0000 | 0x12ce0b0000 | 0x12ce0b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000012ce0c0000 | 0x12ce0c0000 | 0x12ce0c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x12ce0d0000 | 0x12ce18dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000012ce190000 | 0x12ce190000 | 0x12ce196fff | Private Memory | rw |
|
|
|
- |
| private_0x00000012ce1a0000 | 0x12ce1a0000 | 0x12ce29ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000012ce2a0000 | 0x12ce2a0000 | 0x12ce31ffff | Private Memory | rw |
|
|
|
- |
| werfault.exe.mui | 0x12ce320000 | 0x12ce323fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000012ce330000 | 0x12ce330000 | 0x12ce330fff | Private Memory | rw |
|
|
|
- |
| private_0x00000012ce340000 | 0x12ce340000 | 0x12ce34ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000012ce350000 | 0x12ce350000 | 0x12ce350fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000012ce360000 | 0x12ce360000 | 0x12ce360fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000012ce370000 | 0x12ce370000 | 0x12ce370fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000012ce380000 | 0x12ce380000 | 0x12ce380fff | Pagefile Backed Memory | r |
|
|
|
- |
| faultrep.dll.mui | 0x12ce390000 | 0x12ce391fff | Memory Mapped File | r |
|
|
|
- |
| wer.dll.mui | 0x12ce3a0000 | 0x12ce3a2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000012ce3b0000 | 0x12ce3b0000 | 0x12ce3b6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000012ce3c0000 | 0x12ce3c0000 | 0x12ce3c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000012ce3d0000 | 0x12ce3d0000 | 0x12ce3dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000012ce3e0000 | 0x12ce3e0000 | 0x12ce3e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000012ce3f0000 | 0x12ce3f0000 | 0x12ce3f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000012ce400000 | 0x12ce400000 | 0x12ce401fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000012ce410000 | 0x12ce410000 | 0x12ce41ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000012ce420000 | 0x12ce420000 | 0x12ce5a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000012ce5b0000 | 0x12ce5b0000 | 0x12ce730fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000012ce740000 | 0x12ce740000 | 0x12cfb3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x12cfb40000 | 0x12cfe76fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000012cfe80000 | 0x12cfe80000 | 0x12cfefffff | Private Memory | rw |
|
|
|
- |
| private_0x00000012cff00000 | 0x12cff00000 | 0x12cff7ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000012cff80000 | 0x12cff80000 | 0x12cfffffff | Private Memory | rw |
|
|
|
- |
| ntdll.dll.mui | 0x12d0000000 | 0x12d0065fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000012d0070000 | 0x12d0070000 | 0x12d00effff | Private Memory | rw |
|
|
|
- |
| private_0x00000012d00f0000 | 0x12d00f0000 | 0x12d01effff | Private Memory | rw |
|
|
|
- |
| private_0x00000012d01f0000 | 0x12d01f0000 | 0x12d02effff | Private Memory | rw |
|
|
|
- |
| private_0x00000012d02f0000 | 0x12d02f0000 | 0x12d03effff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x12d03f0000 | 0x12d04cefff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000012d04d0000 | 0x12d04d0000 | 0x12d05cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000012d05d0000 | 0x12d05d0000 | 0x12d05f9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| winnlsres.dll | 0x12d0600000 | 0x12d0604fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0x12d0610000 | 0x12d061ffff | Memory Mapped File | r |
|
|
|
- |
| mswsock.dll.mui | 0x12d0620000 | 0x12d0622fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000012d0630000 | 0x12d0630000 | 0x12d0631fff | Pagefile Backed Memory | rw |
|
|
|
- |
| crypt32.dll.mui | 0x12d0640000 | 0x12d0649fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000012d0650000 | 0x12d0650000 | 0x12d06cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000012d06d0000 | 0x12d06d0000 | 0x12d08cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff450000 | 0x7df5ff450000 | 0x7ff5ff44ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff671bce000 | 0x7ff671bce000 | 0x7ff671bcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff671bd0000 | 0x7ff671bd0000 | 0x7ff671ccffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff671cd0000 | 0x7ff671cd0000 | 0x7ff671cf2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff671cf3000 | 0x7ff671cf3000 | 0x7ff671cf3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff671cf4000 | 0x7ff671cf4000 | 0x7ff671cf5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff671cf6000 | 0x7ff671cf6000 | 0x7ff671cf7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff671cf8000 | 0x7ff671cf8000 | 0x7ff671cf9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff671cfa000 | 0x7ff671cfa000 | 0x7ff671cfbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff671cfc000 | 0x7ff671cfc000 | 0x7ff671cfdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff671cfe000 | 0x7ff671cfe000 | 0x7ff671cfffff | Private Memory | rw |
|
|
|
- |
| werfault.exe | 0x7ff672280000 | 0x7ff6722cafff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x7ffc3e420000 | 0x7ffc3e5a9fff | Memory Mapped File | rwx |
|
|
|
- |
| wer.dll | 0x7ffc3f2c0000 | 0x7ffc3f35dfff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ffc3fb30000 | 0x7ffc3fcdffff | Memory Mapped File | rwx |
|
|
|
- |
| mskeyprotect.dll | 0x7ffc42390000 | 0x7ffc423a3fff | Memory Mapped File | rwx |
|
|
|
- |
| ncryptsslp.dll | 0x7ffc42440000 | 0x7ffc4245efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.security.authentication.onlineid.dll | 0x7ffc44de0000 | 0x7ffc44e92fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffc48ff0000 | 0x7ffc49459fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x7ffc4a100000 | 0x7ffc4a17ffff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ffc4b090000 | 0x7ffc4b09dfff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ffc4b6e0000 | 0x7ffc4b6ebfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffc4b890000 | 0x7ffc4b899fff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x7ffc4b8c0000 | 0x7ffc4b8d4fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ffc4c220000 | 0x7ffc4c25efff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7ffc4c270000 | 0x7ffc4c279fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptnet.dll | 0x7ffc4cf30000 | 0x7ffc4cf5efff | Memory Mapped File | rwx |
|
|
|
- |
| werui.dll | 0x7ffc4d0e0000 | 0x7ffc4d153fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ffc4d9d0000 | 0x7ffc4daa5fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ffc50980000 | 0x7ffc509e7fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ffc50a50000 | 0x7ffc50a69fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ffc50a70000 | 0x7ffc50a85fff | Memory Mapped File | rwx |
|
|
|
- |
| faultrep.dll | 0x7ffc50e60000 | 0x7ffc50ebdfff | Memory Mapped File | rwx |
|
|
|
- |
| dbgcore.dll | 0x7ffc513e0000 | 0x7ffc51404fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ffc52f40000 | 0x7ffc5302dfff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ffc534a0000 | 0x7ffc534c2fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffc53920000 | 0x7ffc53951fff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x7ffc53980000 | 0x7ffc539f3fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ffc53be0000 | 0x7ffc53c87fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffc53dd0000 | 0x7ffc53e2cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntasn1.dll | 0x7ffc53f30000 | 0x7ffc53f65fff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x7ffc53f70000 | 0x7ffc53f95fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x7ffc541f0000 | 0x7ffc541f9fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7ffc55220000 | 0x7ffc5527afff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffc57900000 | 0x7ffc57968fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #23: werfault.exe
0
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\windows\system32\werfault.exe |
| Command Line | C:\Windows\system32\WerFault.exe -u -p 1916 -s 1164 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:30, Reason: Child Process |
| Unmonitor | End Time: 00:04:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:11 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf94 |
| Parent PID | 0x77c (c:\windows\system32\taskhostw.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
F9C
0x
F64
0x
F70
0x
F68
0x
B18
0x
F20
0x
F34
0x
790
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000074f51f0000 | 0x74f51f0000 | 0x74f520ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000074f51f0000 | 0x74f51f0000 | 0x74f51fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000074f5200000 | 0x74f5200000 | 0x74f5206fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000074f5210000 | 0x74f5210000 | 0x74f5223fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000074f5230000 | 0x74f5230000 | 0x74f52affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000074f52b0000 | 0x74f52b0000 | 0x74f52b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000074f52c0000 | 0x74f52c0000 | 0x74f52c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000074f52d0000 | 0x74f52d0000 | 0x74f52d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x74f52e0000 | 0x74f539dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000074f53a0000 | 0x74f53a0000 | 0x74f53a6fff | Private Memory | rw |
|
|
|
- |
| werfault.exe.mui | 0x74f53b0000 | 0x74f53b3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000074f53c0000 | 0x74f53c0000 | 0x74f54bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000074f54c0000 | 0x74f54c0000 | 0x74f553ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000074f5540000 | 0x74f5540000 | 0x74f5540fff | Private Memory | rw |
|
|
|
- |
| private_0x00000074f5550000 | 0x74f5550000 | 0x74f5550fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000074f5560000 | 0x74f5560000 | 0x74f5560fff | Pagefile Backed Memory | rw |
|
|
|
- |
| faultrep.dll.mui | 0x74f5570000 | 0x74f5571fff | Memory Mapped File | r |
|
|
|
- |
| wer.dll.mui | 0x74f5580000 | 0x74f5582fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000074f5590000 | 0x74f5590000 | 0x74f5596fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000074f55a0000 | 0x74f55a0000 | 0x74f55a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000074f55b0000 | 0x74f55b0000 | 0x74f55b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000074f55c0000 | 0x74f55c0000 | 0x74f55cffff | Private Memory | rw |
|
|
|
- |
| werui.dll.mui | 0x74f55d0000 | 0x74f55d4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000074f55e0000 | 0x74f55e0000 | 0x74f55e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000074f55f0000 | 0x74f55f0000 | 0x74f55f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000074f5600000 | 0x74f5600000 | 0x74f560ffff | Private Memory | rw |
|
|
|
- |
| ntdll.dll.mui | 0x74f5610000 | 0x74f5675fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000074f5680000 | 0x74f5680000 | 0x74f5681fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000074f5690000 | 0x74f5690000 | 0x74f5693fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000074f56a0000 | 0x74f56a0000 | 0x74f56a6fff | Private Memory | rw |
|
|
|
- |
| duser.dll.mui | 0x74f56b0000 | 0x74f56b0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000074f56c0000 | 0x74f56c0000 | 0x74f56cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000074f56d0000 | 0x74f56d0000 | 0x74f5857fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000074f5860000 | 0x74f5860000 | 0x74f59e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000074f59f0000 | 0x74f59f0000 | 0x74f6deffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x74f6df0000 | 0x74f7126fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000074f71b0000 | 0x74f71b0000 | 0x74f72affff | Private Memory | rw |
|
|
|
- |
| private_0x00000074f72b0000 | 0x74f72b0000 | 0x74f73affff | Private Memory | rw |
|
|
|
- |
| private_0x00000074f73b0000 | 0x74f73b0000 | 0x74f74affff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x74f74b0000 | 0x74f758efff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000074f7590000 | 0x74f7590000 | 0x74f768ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000074f7790000 | 0x74f7790000 | 0x74f780ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000074f7810000 | 0x74f7810000 | 0x74f788ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000074f7890000 | 0x74f7890000 | 0x74f7947fff | Pagefile Backed Memory | r |
|
|
|
- |
| comctl32.dll.mui | 0x74f7950000 | 0x74f7952fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000074f7960000 | 0x74f7960000 | 0x74f7960fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000074f7970000 | 0x74f7970000 | 0x74f7972fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000074f7980000 | 0x74f7980000 | 0x74f7e71fff | Pagefile Backed Memory | rw |
|
|
|
- |
| staticcache.dat | 0x74f7e80000 | 0x74f8ebffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000074f8ec0000 | 0x74f8ec0000 | 0x74f8f08fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000074f8f10000 | 0x74f8f10000 | 0x74f8f10fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5fff90000 | 0x7df5fff90000 | 0x7ff5fff8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff671bec000 | 0x7ff671bec000 | 0x7ff671bedfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff671bee000 | 0x7ff671bee000 | 0x7ff671beffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff671bf0000 | 0x7ff671bf0000 | 0x7ff671ceffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff671cf0000 | 0x7ff671cf0000 | 0x7ff671d12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff671d1a000 | 0x7ff671d1a000 | 0x7ff671d1bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff671d1c000 | 0x7ff671d1c000 | 0x7ff671d1cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff671d1e000 | 0x7ff671d1e000 | 0x7ff671d1ffff | Private Memory | rw |
|
|
|
- |
| werfault.exe | 0x7ff672280000 | 0x7ff6722cafff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x7ffc3e420000 | 0x7ffc3e5a9fff | Memory Mapped File | rwx |
|
|
|
- |
| wer.dll | 0x7ffc3f2c0000 | 0x7ffc3f35dfff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ffc3fb30000 | 0x7ffc3fcdffff | Memory Mapped File | rwx |
|
|
|
- |
| atlthunk.dll | 0x7ffc41be0000 | 0x7ffc41beffff | Memory Mapped File | rwx |
|
|
|
- |
| msls31.dll | 0x7ffc48f10000 | 0x7ffc48f47fff | Memory Mapped File | rwx |
|
|
|
- |
| riched20.dll | 0x7ffc48f50000 | 0x7ffc48feafff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ffc4b6e0000 | 0x7ffc4b6ebfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffc4b890000 | 0x7ffc4b899fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7ffc4d0a0000 | 0x7ffc4d0b7fff | Memory Mapped File | rwx |
|
|
|
- |
| werui.dll | 0x7ffc4d0e0000 | 0x7ffc4d153fff | Memory Mapped File | rwx |
|
|
|
- |
| duser.dll | 0x7ffc4f3a0000 | 0x7ffc4f438fff | Memory Mapped File | rwx |
|
|
|
- |
| faultrep.dll | 0x7ffc50e60000 | 0x7ffc50ebdfff | Memory Mapped File | rwx |
|
|
|
- |
| dbgcore.dll | 0x7ffc513e0000 | 0x7ffc51404fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ffc525f0000 | 0x7ffc52611fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffc53920000 | 0x7ffc53951fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #24: svchost.exe
134
0
| Information | Value |
|---|---|
| ID | #24 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k UnistackSvcGroup |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:34, Reason: Injection |
| Unmonitor | End Time: 00:04:41, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcb0 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
F88
0x
F6C
0x
F98
0x
F38
0x
CAC
0x
CB4
0x
A44
0x
8BC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000005768350000 | 0x5768350000 | 0x576835ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| svchost.exe.mui | 0x5768360000 | 0x5768360fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000005768370000 | 0x5768370000 | 0x5768383fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005768390000 | 0x5768390000 | 0x576840ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005768410000 | 0x5768410000 | 0x5768413fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005768420000 | 0x5768420000 | 0x5768420fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005768430000 | 0x5768430000 | 0x5768431fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x5768440000 | 0x57684fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005768500000 | 0x5768500000 | 0x576857ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005768580000 | 0x5768580000 | 0x5768580fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005768590000 | 0x5768590000 | 0x5768590fff | Private Memory | rw |
|
|
|
- |
| phoneutilres.dll | 0x57685a0000 | 0x57685a0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000057685c0000 | 0x57685c0000 | 0x57685c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000057685d0000 | 0x57685d0000 | 0x57685d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| syncres.dll | 0x57685e0000 | 0x57685e0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000057685f0000 | 0x57685f0000 | 0x5768619fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005768620000 | 0x5768620000 | 0x5768626fff | Private Memory | rw |
|
|
|
- |
| private_0x00000057686e0000 | 0x57686e0000 | 0x57686e6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005768700000 | 0x5768700000 | 0x57687fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005768800000 | 0x5768800000 | 0x57688fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005768900000 | 0x5768900000 | 0x5768a87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005768a90000 | 0x5768a90000 | 0x5768c10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005768c20000 | 0x5768c20000 | 0x576a01ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000576a020000 | 0x576a020000 | 0x576a11ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000576a120000 | 0x576a120000 | 0x576a21ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000576a220000 | 0x576a220000 | 0x576a31ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000576a320000 | 0x576a320000 | 0x576a41ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000576a420000 | 0x576a420000 | 0x576a51ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x576a520000 | 0x576a856fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000576a860000 | 0x576a860000 | 0x576a95ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff940000 | 0x7df5ff940000 | 0x7ff5ff93ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff6ad000000 | 0x7ff6ad000000 | 0x7ff6ad395fff | Private Memory | rwx |
|
|
|
- |
| private_0x00007ff6e02de000 | 0x7ff6e02de000 | 0x7ff6e02dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff6e02e0000 | 0x7ff6e02e0000 | 0x7ff6e03dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6e03e0000 | 0x7ff6e03e0000 | 0x7ff6e0402fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6e0403000 | 0x7ff6e0403000 | 0x7ff6e0404fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0405000 | 0x7ff6e0405000 | 0x7ff6e0406fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0407000 | 0x7ff6e0407000 | 0x7ff6e0408fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e0409000 | 0x7ff6e0409000 | 0x7ff6e040afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e040b000 | 0x7ff6e040b000 | 0x7ff6e040cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e040d000 | 0x7ff6e040d000 | 0x7ff6e040efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6e040f000 | 0x7ff6e040f000 | 0x7ff6e040ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x7ff6e1100000 | 0x7ff6e110cfff | Memory Mapped File | rwx |
|
|
|
- |
| synccontroller.dll | 0x7ffc3e350000 | 0x7ffc3e3bbfff | Memory Mapped File | rwx |
|
|
|
- |
| phoneutil.dll | 0x7ffc3ec30000 | 0x7ffc3ec70fff | Memory Mapped File | rwx |
|
|
|
- |
| pimstore.dll | 0x7ffc3ec80000 | 0x7ffc3edf0fff | Memory Mapped File | rwx |
|
|
|
- |
| syncutil.dll | 0x7ffc3fd00000 | 0x7ffc3fd46fff | Memory Mapped File | rwx |
|
|
|
- |
| userdataplatformhelperutil.dll | 0x7ffc40ab0000 | 0x7ffc40ac5fff | Memory Mapped File | rwx |
|
|
|
- |
| vaultcli.dll | 0x7ffc46900000 | 0x7ffc46947fff | Memory Mapped File | rwx |
|
|
|
- |
| tokenbroker.dll | 0x7ffc486a0000 | 0x7ffc48765fff | Memory Mapped File | rwx |
|
|
|
- |
| dsclient.dll | 0x7ffc48ed0000 | 0x7ffc48edbfff | Memory Mapped File | rwx |
|
|
|
- |
| userdatatypehelperutil.dll | 0x7ffc48ee0000 | 0x7ffc48ef0fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffc48ff0000 | 0x7ffc49459fff | Memory Mapped File | rwx |
|
|
|
- |
| esent.dll | 0x7ffc4bc70000 | 0x7ffc4bf51fff | Memory Mapped File | rwx |
|
|
|
- |
| networkhelper.dll | 0x7ffc4ce50000 | 0x7ffc4ce66fff | Memory Mapped File | rwx |
|
|
|
- |
| idstore.dll | 0x7ffc4cf00000 | 0x7ffc4cf26fff | Memory Mapped File | rwx |
|
|
|
- |
| aphostservice.dll | 0x7ffc4cff0000 | 0x7ffc4d03dfff | Memory Mapped File | rwx |
|
|
|
- |
| inproclogger.dll | 0x7ffc4d090000 | 0x7ffc4d09cfff | Memory Mapped File | rwx |
|
|
|
- |
| mccspal.dll | 0x7ffc4d0c0000 | 0x7ffc4d0cafff | Memory Mapped File | rwx |
|
|
|
- |
| userdatatimeutil.dll | 0x7ffc4d490000 | 0x7ffc4d4b0fff | Memory Mapped File | rwx |
|
|
|
- |
| userdatalanguageutil.dll | 0x7ffc4d4c0000 | 0x7ffc4d4d0fff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ffc4d9d0000 | 0x7ffc4daa5fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ffc4ddd0000 | 0x7ffc4e145fff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x7ffc50bd0000 | 0x7ffc50bebfff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ffc50c00000 | 0x7ffc50d30fff | Memory Mapped File | rwx |
|
|
|
- |
| accountaccessor.dll | 0x7ffc50d90000 | 0x7ffc50dc5fff | Memory Mapped File | rwx |
|
|
|
- |
| aphostclient.dll | 0x7ffc50dd0000 | 0x7ffc50ddffff | Memory Mapped File | rwx |
|
|
|
- |
| cemapi.dll | 0x7ffc50de0000 | 0x7ffc50e1ffff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x7ffc51cb0000 | 0x7ffc51cc7fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ffc52640000 | 0x7ffc52652fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc53810000 | 0x7ffc5382bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffc53920000 | 0x7ffc53951fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| msv1_0.dll | 0x7ffc53d70000 | 0x7ffc53dcefff | Memory Mapped File | rwx |
|
|
|
- |
| ntlmshared.dll | 0x7ffc54200000 | 0x7ffc5420afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptdll.dll | 0x7ffc54260000 | 0x7ffc54273fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\fkgcs.exe | 0x61c | address = 0x7ff6ad000000, size = 3760128 |
|
1 | |
| Create Remote Thread | #1: c:\users\ciihmnxmn6ps\desktop\fkgcs.exe | 0x61c | address = 0x7ff6ad002870 |
|
1 |
Host Behavior
File (18)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\users\Public\sys | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN |
|
18 |
Module (78)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffc55800000 |
|
1 | |
| Load | mpr.dll | base_address = 0x7ffc53810000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x7ffc57aa0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7ffc57750000 |
|
1 | |
| Load | Shell32.dll | base_address = 0x7ffc559d0000 |
|
1 | |
| Load | Iphlpapi.dll | base_address = 0x7ffc51c50000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7ffc55822080 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7ffc55816060 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualFree, address_out = 0x7ffc5581bc10 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptExportKey, address_out = 0x7ffc57ab7b50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileW, address_out = 0x7ffc558257a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDriveTypeW, address_out = 0x7ffc558258f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCommandLineW, address_out = 0x7ffc55820150 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetStartupInfoW, address_out = 0x7ffc5581ed80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileW, address_out = 0x7ffc55825880 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualAlloc, address_out = 0x7ffc5581baf0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7ffc57acec40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ExitProcess, address_out = 0x7ffc5581ef50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffc558436a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x7ffc5581d5b0 |
|
1 | |
| Get Address | c:\windows\system32\iphlpapi.dll | function = GetIpNetTable, address_out = 0x7ffc51c6f0b0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x7ffc5581aa30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffc55843690 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDefaultLangID, address_out = 0x7ffc55822ba0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameW, address_out = 0x7ffc57abda40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x7ffc55825a90 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegQueryValueExA, address_out = 0x7ffc57ab7dd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7ffc55825510 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegSetValueExW, address_out = 0x7ffc57ab7850 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7ffc57ab72e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7ffc5583e430 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesW, address_out = 0x7ffc55825b00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WinExec, address_out = 0x7ffc55841e60 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDeriveKey, address_out = 0x7ffc57ad07a0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGenKey, address_out = 0x7ffc57abcab0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Sleep, address_out = 0x7ffc55818f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcess, address_out = 0x7ffc55816580 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteW, address_out = 0x7ffc55b1abc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x7ffc55825950 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GlobalAlloc, address_out = 0x7ffc5581b810 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x7ffc558257c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForMultipleObjects, address_out = 0x7ffc558256e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameA, address_out = 0x7ffc55820c70 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteA, address_out = 0x7ffc55bd7de0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x7ffc5581e6d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameW, address_out = 0x7ffc5581eca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7ffc55825760 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSizeEx, address_out = 0x7ffc55825960 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x7ffc55825b80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalDrives, address_out = 0x7ffc558166d0 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetEnumResourceW, address_out = 0x7ffc538127d0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7ffc57ab6cb0 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetCloseEnum, address_out = 0x7ffc53812e20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x7ffc55822940 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x7ffc55825af0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExA, address_out = 0x7ffc57ab7d70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7ffc55825b20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount, address_out = 0x7ffc558160a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesW, address_out = 0x7ffc55825930 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileW, address_out = 0x7ffc55825840 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextW, address_out = 0x7ffc57ab89e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MoveFileExW, address_out = 0x7ffc55823010 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetOpenEnumW, address_out = 0x7ffc53812f20 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoInitialize, address_out = 0x7ffc57763870 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDecrypt, address_out = 0x7ffc57ab9140 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptImportKey, address_out = 0x7ffc57ab7b40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointerEx, address_out = 0x7ffc55825b30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileW, address_out = 0x7ffc55825d70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibrary, address_out = 0x7ffc5581eb90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessW, address_out = 0x7ffc5581dee0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryW, address_out = 0x7ffc55825740 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThread, address_out = 0x7ffc5581bc20 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDestroyKey, address_out = 0x7ffc57ab86b0 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x7ffc57257000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileW, address_out = 0x7ffc55825770 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesA, address_out = 0x7ffc55825900 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptEncrypt, address_out = 0x7ffc57abd7e0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueW, address_out = 0x7ffc57ab90b0 |
|
1 |
System (38)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| Sleep | duration = 25000 milliseconds (25.000 seconds) |
|
18 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
18 |
Process #25: net.exe
0
0
| Information | Value |
|---|---|
| ID | #25 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:35, Reason: Child Process |
| Unmonitor | End Time: 00:01:37, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4f8 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
51C
0x
C74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000d3d72f0000 | 0xd3d72f0000 | 0xd3d730ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d3d72f0000 | 0xd3d72f0000 | 0xd3d72fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000d3d7310000 | 0xd3d7310000 | 0xd3d7323fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d3d7330000 | 0xd3d7330000 | 0xd3d73affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d3d73b0000 | 0xd3d73b0000 | 0xd3d73b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d3d73c0000 | 0xd3d73c0000 | 0xd3d73c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d3d73d0000 | 0xd3d73d0000 | 0xd3d73d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xd3d73e0000 | 0xd3d749dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d3d7550000 | 0xd3d7550000 | 0xd3d764ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff080000 | 0x7df5ff080000 | 0x7ff5ff07ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6a40000 | 0x7ff6d6a40000 | 0x7ff6d6b3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6b40000 | 0x7ff6d6b40000 | 0x7ff6d6b62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6b6d000 | 0x7ff6d6b6d000 | 0x7ff6d6b6efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d6b6f000 | 0x7ff6d6b6f000 | 0x7ff6d6b6ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #27: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #27 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:36, Reason: Child Process |
| Unmonitor | End Time: 00:01:37, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc90 |
| Parent PID | 0x4f8 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C8C
0x
820
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000083f9e60000 | 0x83f9e60000 | 0x83f9e7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000083f9e60000 | 0x83f9e60000 | 0x83f9e6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000083f9e70000 | 0x83f9e70000 | 0x83f9e76fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000083f9e80000 | 0x83f9e80000 | 0x83f9e93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000083f9ea0000 | 0x83f9ea0000 | 0x83f9f1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000083f9f20000 | 0x83f9f20000 | 0x83f9f23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000083f9f30000 | 0x83f9f30000 | 0x83f9f30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000083f9f40000 | 0x83f9f40000 | 0x83f9f41fff | Private Memory | rw |
|
|
|
- |
| private_0x00000083f9f50000 | 0x83f9f50000 | 0x83f9f56fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x83f9f60000 | 0x83f9f62fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000083f9f90000 | 0x83f9f90000 | 0x83fa08ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x83fa090000 | 0x83fa14dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000083fa150000 | 0x83fa150000 | 0x83fa1cffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x83fa1d0000 | 0x83fa201fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000083fa280000 | 0x83fa280000 | 0x83fa28ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5fff30000 | 0x7df5fff30000 | 0x7ff5fff2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69bf10000 | 0x7ff69bf10000 | 0x7ff69c00ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69c010000 | 0x7ff69c010000 | 0x7ff69c032fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69c03a000 | 0x7ff69c03a000 | 0x7ff69c03afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c03c000 | 0x7ff69c03c000 | 0x7ff69c03dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c03e000 | 0x7ff69c03e000 | 0x7ff69c03ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc4cea0000 | 0x7ffc4ceb3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x83f9f60000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #28: net.exe
0
0
| Information | Value |
|---|---|
| ID | #28 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:42, Reason: Child Process |
| Unmonitor | End Time: 00:01:43, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x81c |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
550
0x
AF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000002102420000 | 0x2102420000 | 0x210243ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002102420000 | 0x2102420000 | 0x210242ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000002102430000 | 0x2102430000 | 0x2102436fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002102440000 | 0x2102440000 | 0x2102453fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002102460000 | 0x2102460000 | 0x21024dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000021024e0000 | 0x21024e0000 | 0x21024e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000021024f0000 | 0x21024f0000 | 0x21024f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002102500000 | 0x2102500000 | 0x2102501fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x2102510000 | 0x21025cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000021025d0000 | 0x21025d0000 | 0x210264ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002102650000 | 0x2102650000 | 0x2102656fff | Private Memory | rw |
|
|
|
- |
| private_0x00000021026e0000 | 0x21026e0000 | 0x21027dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000021028e0000 | 0x21028e0000 | 0x21028effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff090000 | 0x7df5ff090000 | 0x7ff5ff08ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6e00000 | 0x7ff6d6e00000 | 0x7ff6d6efffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6f00000 | 0x7ff6d6f00000 | 0x7ff6d6f22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6f2b000 | 0x7ff6d6f2b000 | 0x7ff6d6f2cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d6f2d000 | 0x7ff6d6f2d000 | 0x7ff6d6f2dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d6f2e000 | 0x7ff6d6f2e000 | 0x7ff6d6f2ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc4cea0000 | 0x7ffc4ceb3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc53810000 | 0x7ffc5382bfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #30: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #30 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:42, Reason: Child Process |
| Unmonitor | End Time: 00:01:42, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9f8 |
| Parent PID | 0x81c (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B08
0x
A24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000992bb30000 | 0x992bb30000 | 0x992bb4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000992bb30000 | 0x992bb30000 | 0x992bb3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000992bb40000 | 0x992bb40000 | 0x992bb46fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000992bb50000 | 0x992bb50000 | 0x992bb63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000992bb70000 | 0x992bb70000 | 0x992bbeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000992bbf0000 | 0x992bbf0000 | 0x992bbf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000992bc00000 | 0x992bc00000 | 0x992bc00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000992bc10000 | 0x992bc10000 | 0x992bc11fff | Private Memory | rw |
|
|
|
- |
| private_0x000000992bc20000 | 0x992bc20000 | 0x992bc26fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x992bc30000 | 0x992bc32fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x992bc40000 | 0x992bc71fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000992bc90000 | 0x992bc90000 | 0x992bd8ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x992bd90000 | 0x992be4dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000992be50000 | 0x992be50000 | 0x992becffff | Private Memory | rw |
|
|
|
- |
| private_0x000000992c070000 | 0x992c070000 | 0x992c07ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5fff50000 | 0x7df5fff50000 | 0x7ff5fff4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69bae0000 | 0x7ff69bae0000 | 0x7ff69bbdffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69bbe0000 | 0x7ff69bbe0000 | 0x7ff69bc02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69bc0b000 | 0x7ff69bc0b000 | 0x7ff69bc0bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bc0c000 | 0x7ff69bc0c000 | 0x7ff69bc0dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bc0e000 | 0x7ff69bc0e000 | 0x7ff69bc0ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc4cea0000 | 0x7ffc4ceb3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x992bc30000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #31: net.exe
0
0
| Information | Value |
|---|---|
| ID | #31 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:46, Reason: Child Process |
| Unmonitor | End Time: 00:01:48, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf08 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DC8
0x
ED8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000007acc2b0000 | 0x7acc2b0000 | 0x7acc2cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007acc2b0000 | 0x7acc2b0000 | 0x7acc2bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000007acc2d0000 | 0x7acc2d0000 | 0x7acc2e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007acc2f0000 | 0x7acc2f0000 | 0x7acc36ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007acc370000 | 0x7acc370000 | 0x7acc373fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000007acc380000 | 0x7acc380000 | 0x7acc380fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007acc390000 | 0x7acc390000 | 0x7acc391fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x7acc3a0000 | 0x7acc45dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007acc460000 | 0x7acc460000 | 0x7acc55ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff290000 | 0x7df5ff290000 | 0x7ff5ff28ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6ef0000 | 0x7ff6d6ef0000 | 0x7ff6d6feffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6ff0000 | 0x7ff6d6ff0000 | 0x7ff6d7012fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d7017000 | 0x7ff6d7017000 | 0x7ff6d7017fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d701e000 | 0x7ff6d701e000 | 0x7ff6d701ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #33: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #33 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:46, Reason: Child Process |
| Unmonitor | End Time: 00:01:48, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe44 |
| Parent PID | 0xf08 (c:\windows\system32\net1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DA4
0x
EFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000004dc1e00000 | 0x4dc1e00000 | 0x4dc1e1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004dc1e00000 | 0x4dc1e00000 | 0x4dc1e0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000004dc1e10000 | 0x4dc1e10000 | 0x4dc1e16fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004dc1e20000 | 0x4dc1e20000 | 0x4dc1e33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004dc1e40000 | 0x4dc1e40000 | 0x4dc1ebffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004dc1ec0000 | 0x4dc1ec0000 | 0x4dc1ec3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004dc1ed0000 | 0x4dc1ed0000 | 0x4dc1ed0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004dc1ee0000 | 0x4dc1ee0000 | 0x4dc1ee1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x4dc1ef0000 | 0x4dc1fadfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004dc1fb0000 | 0x4dc1fb0000 | 0x4dc202ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004dc2030000 | 0x4dc2030000 | 0x4dc2036fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x4dc2040000 | 0x4dc2042fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000004dc2070000 | 0x4dc2070000 | 0x4dc207ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004dc2090000 | 0x4dc2090000 | 0x4dc218ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x4dc2190000 | 0x4dc21c1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ffbe0000 | 0x7df5ffbe0000 | 0x7ff5ffbdffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69bed0000 | 0x7ff69bed0000 | 0x7ff69bfcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69bfd0000 | 0x7ff69bfd0000 | 0x7ff69bff2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69bffa000 | 0x7ff69bffa000 | 0x7ff69bffbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bffc000 | 0x7ff69bffc000 | 0x7ff69bffcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bffe000 | 0x7ff69bffe000 | 0x7ff69bffffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc4cea0000 | 0x7ffc4ceb3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x4dc2040000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #34: net.exe
0
0
| Information | Value |
|---|---|
| ID | #34 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:52, Reason: Child Process |
| Unmonitor | End Time: 00:01:57, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf08 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DD8
0x
10CC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000097ff910000 | 0x97ff910000 | 0x97ff92ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000097ff910000 | 0x97ff910000 | 0x97ff91ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000097ff930000 | 0x97ff930000 | 0x97ff943fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000097ff950000 | 0x97ff950000 | 0x97ff9cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000097ff9d0000 | 0x97ff9d0000 | 0x97ff9d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000097ff9e0000 | 0x97ff9e0000 | 0x97ff9e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000097ff9f0000 | 0x97ff9f0000 | 0x97ff9f1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x97ffa00000 | 0x97ffabdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000097ffb70000 | 0x97ffb70000 | 0x97ffc6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff680000 | 0x7df5ff680000 | 0x7ff5ff67ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6930000 | 0x7ff6d6930000 | 0x7ff6d6a2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6a30000 | 0x7ff6d6a30000 | 0x7ff6d6a52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6a53000 | 0x7ff6d6a53000 | 0x7ff6d6a53fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d6a5e000 | 0x7ff6d6a5e000 | 0x7ff6d6a5ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #36: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #36 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:54, Reason: Child Process |
| Unmonitor | End Time: 00:01:57, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x10d4 |
| Parent PID | 0xf08 (c:\windows\system32\net1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
10D8
0x
115C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000083f9200000 | 0x83f9200000 | 0x83f921ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000083f9200000 | 0x83f9200000 | 0x83f920ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000083f9210000 | 0x83f9210000 | 0x83f9216fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000083f9220000 | 0x83f9220000 | 0x83f9233fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000083f9240000 | 0x83f9240000 | 0x83f92bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000083f92c0000 | 0x83f92c0000 | 0x83f92c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000083f92d0000 | 0x83f92d0000 | 0x83f92d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000083f92e0000 | 0x83f92e0000 | 0x83f92e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x83f92f0000 | 0x83f93adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000083f93b0000 | 0x83f93b0000 | 0x83f942ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000083f9430000 | 0x83f9430000 | 0x83f952ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000083f9530000 | 0x83f9530000 | 0x83f9536fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x83f9540000 | 0x83f9542fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x83f9550000 | 0x83f9581fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000083f9710000 | 0x83f9710000 | 0x83f971ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff2a0000 | 0x7df5ff2a0000 | 0x7ff5ff29ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69bd20000 | 0x7ff69bd20000 | 0x7ff69be1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69be20000 | 0x7ff69be20000 | 0x7ff69be42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69be46000 | 0x7ff69be46000 | 0x7ff69be46fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69be4c000 | 0x7ff69be4c000 | 0x7ff69be4dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69be4e000 | 0x7ff69be4e000 | 0x7ff69be4ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc4cea0000 | 0x7ffc4ceb3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x83f9540000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #37: net.exe
0
0
| Information | Value |
|---|---|
| ID | #37 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:56, Reason: Child Process |
| Unmonitor | End Time: 00:01:59, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1200 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1204
0x
1340
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000a058730000 | 0xa058730000 | 0xa05874ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a058730000 | 0xa058730000 | 0xa05873ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a058750000 | 0xa058750000 | 0xa058763fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a058770000 | 0xa058770000 | 0xa0587effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a0587f0000 | 0xa0587f0000 | 0xa0587f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a058800000 | 0xa058800000 | 0xa058800fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a058810000 | 0xa058810000 | 0xa058811fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xa058820000 | 0xa0588ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a058a10000 | 0xa058a10000 | 0xa058b0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff2d0000 | 0x7df5ff2d0000 | 0x7ff5ff2cffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6b50000 | 0x7ff6d6b50000 | 0x7ff6d6c4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6c50000 | 0x7ff6d6c50000 | 0x7ff6d6c72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6c77000 | 0x7ff6d6c77000 | 0x7ff6d6c77fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d6c7e000 | 0x7ff6d6c7e000 | 0x7ff6d6c7ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #39: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #39 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:58, Reason: Child Process |
| Unmonitor | End Time: 00:01:58, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1370 |
| Parent PID | 0x1200 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1374
0x
13BC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000006945ce0000 | 0x6945ce0000 | 0x6945cfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006945ce0000 | 0x6945ce0000 | 0x6945ceffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000006945cf0000 | 0x6945cf0000 | 0x6945cf6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006945d00000 | 0x6945d00000 | 0x6945d13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006945d20000 | 0x6945d20000 | 0x6945d9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006945da0000 | 0x6945da0000 | 0x6945da3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000006945db0000 | 0x6945db0000 | 0x6945db0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006945dc0000 | 0x6945dc0000 | 0x6945dc1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x6945dd0000 | 0x6945e8dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000006945e90000 | 0x6945e90000 | 0x6945f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006945f10000 | 0x6945f10000 | 0x694600ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006946010000 | 0x6946010000 | 0x6946016fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x6946020000 | 0x6946022fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000006946050000 | 0x6946050000 | 0x694605ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x6946060000 | 0x6946091fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df600000000 | 0x7df600000000 | 0x7ff5ffffffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69b990000 | 0x7ff69b990000 | 0x7ff69ba8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69ba90000 | 0x7ff69ba90000 | 0x7ff69bab2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69babb000 | 0x7ff69babb000 | 0x7ff69babcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69babd000 | 0x7ff69babd000 | 0x7ff69babefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69babf000 | 0x7ff69babf000 | 0x7ff69babffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc4cea0000 | 0x7ffc4ceb3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x6946020000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #40: net.exe
0
0
| Information | Value |
|---|---|
| ID | #40 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:06, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1750 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1754
0x
1808
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000004df4a30000 | 0x4df4a30000 | 0x4df4a4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004df4a30000 | 0x4df4a30000 | 0x4df4a3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000004df4a50000 | 0x4df4a50000 | 0x4df4a63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004df4a70000 | 0x4df4a70000 | 0x4df4aeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004df4af0000 | 0x4df4af0000 | 0x4df4af3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004df4b00000 | 0x4df4b00000 | 0x4df4b00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004df4b10000 | 0x4df4b10000 | 0x4df4b11fff | Private Memory | rw |
|
|
|
- |
| private_0x0000004df4b20000 | 0x4df4b20000 | 0x4df4c1ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x4df4c20000 | 0x4df4cddfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ffaa0000 | 0x7df5ffaa0000 | 0x7ff5ffa9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6700000 | 0x7ff6d6700000 | 0x7ff6d67fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6800000 | 0x7ff6d6800000 | 0x7ff6d6822fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d682c000 | 0x7ff6d682c000 | 0x7ff6d682dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d682e000 | 0x7ff6d682e000 | 0x7ff6d682efff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #42: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #42 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:05, Reason: Child Process |
| Unmonitor | End Time: 00:02:06, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1814 |
| Parent PID | 0x1750 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1818
0x
183C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000cd69ef0000 | 0xcd69ef0000 | 0xcd69f0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cd69ef0000 | 0xcd69ef0000 | 0xcd69efffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000cd69f00000 | 0xcd69f00000 | 0xcd69f06fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cd69f10000 | 0xcd69f10000 | 0xcd69f23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000cd69f30000 | 0xcd69f30000 | 0xcd69faffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cd69fb0000 | 0xcd69fb0000 | 0xcd69fb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000cd69fc0000 | 0xcd69fc0000 | 0xcd69fc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000cd69fd0000 | 0xcd69fd0000 | 0xcd69fd1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xcd69fe0000 | 0xcd6a09dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000cd6a0a0000 | 0xcd6a0a0000 | 0xcd6a11ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cd6a120000 | 0xcd6a120000 | 0xcd6a126fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xcd6a130000 | 0xcd6a132fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0xcd6a140000 | 0xcd6a171fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000cd6a1c0000 | 0xcd6a1c0000 | 0xcd6a2bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cd6a3f0000 | 0xcd6a3f0000 | 0xcd6a3fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffdd0000 | 0x7df5ffdd0000 | 0x7ff5ffdcffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69c010000 | 0x7ff69c010000 | 0x7ff69c10ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69c110000 | 0x7ff69c110000 | 0x7ff69c132fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69c136000 | 0x7ff69c136000 | 0x7ff69c136fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c13c000 | 0x7ff69c13c000 | 0x7ff69c13dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c13e000 | 0x7ff69c13e000 | 0x7ff69c13ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc4cea0000 | 0x7ffc4ceb3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xcd6a130000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #43: net.exe
0
0
| Information | Value |
|---|---|
| ID | #43 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:08, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x18fc |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1900
0x
1918
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000042a2c60000 | 0x42a2c60000 | 0x42a2c7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000042a2c60000 | 0x42a2c60000 | 0x42a2c6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000042a2c80000 | 0x42a2c80000 | 0x42a2c93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000042a2ca0000 | 0x42a2ca0000 | 0x42a2d1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000042a2d20000 | 0x42a2d20000 | 0x42a2d23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000042a2d30000 | 0x42a2d30000 | 0x42a2d30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000042a2d40000 | 0x42a2d40000 | 0x42a2d41fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x42a2d50000 | 0x42a2e0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000042a2e30000 | 0x42a2e30000 | 0x42a2f2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff6e0000 | 0x7df5ff6e0000 | 0x7ff5ff6dffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d70f0000 | 0x7ff6d70f0000 | 0x7ff6d71effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d71f0000 | 0x7ff6d71f0000 | 0x7ff6d7212fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d7213000 | 0x7ff6d7213000 | 0x7ff6d7213fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d721e000 | 0x7ff6d721e000 | 0x7ff6d721ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #45: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #45 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:07, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x191c |
| Parent PID | 0x18fc (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1920
0x
1924
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000000100000000 | 0x100000000 | 0x10001ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000100000000 | 0x100000000 | 0x10000ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000100010000 | 0x100010000 | 0x100016fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000100020000 | 0x100020000 | 0x100033fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000100040000 | 0x100040000 | 0x1000bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000001000c0000 | 0x1000c0000 | 0x1000c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000001000d0000 | 0x1000d0000 | 0x1000d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000001000e0000 | 0x1000e0000 | 0x1000e1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x1000f0000 | 0x1001adfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000001001b0000 | 0x1001b0000 | 0x1001b6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x1001c0000 | 0x1001c2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000100200000 | 0x100200000 | 0x1002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000100300000 | 0x100300000 | 0x10037ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x100380000 | 0x1003b1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000001004a0000 | 0x1004a0000 | 0x1004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffe60000 | 0x7df5ffe60000 | 0x7ff5ffe5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69c0a0000 | 0x7ff69c0a0000 | 0x7ff69c19ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69c1a0000 | 0x7ff69c1a0000 | 0x7ff69c1c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69c1cb000 | 0x7ff69c1cb000 | 0x7ff69c1ccfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c1cd000 | 0x7ff69c1cd000 | 0x7ff69c1cefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c1cf000 | 0x7ff69c1cf000 | 0x7ff69c1cffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc4cea0000 | 0x7ffc4ceb3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x1001c0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #46: net.exe
0
0
| Information | Value |
|---|---|
| ID | #46 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:02:22, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1b88 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1B8C
0x
1BC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000008479a30000 | 0x8479a30000 | 0x8479a4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008479a30000 | 0x8479a30000 | 0x8479a3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000008479a50000 | 0x8479a50000 | 0x8479a63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008479a70000 | 0x8479a70000 | 0x8479aeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008479af0000 | 0x8479af0000 | 0x8479af3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008479b00000 | 0x8479b00000 | 0x8479b00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008479b10000 | 0x8479b10000 | 0x8479b11fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x8479b20000 | 0x8479bddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008479cb0000 | 0x8479cb0000 | 0x8479daffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffe50000 | 0x7df5ffe50000 | 0x7ff5ffe4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d62e0000 | 0x7ff6d62e0000 | 0x7ff6d63dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d63e0000 | 0x7ff6d63e0000 | 0x7ff6d6402fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6407000 | 0x7ff6d6407000 | 0x7ff6d6407fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d640e000 | 0x7ff6d640e000 | 0x7ff6d640ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #48: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #48 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:02:20, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1bcc |
| Parent PID | 0x1b88 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1BD0
0x
DC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000f4720d0000 | 0xf4720d0000 | 0xf4720effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f4720d0000 | 0xf4720d0000 | 0xf4720dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000f4720e0000 | 0xf4720e0000 | 0xf4720e6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f4720f0000 | 0xf4720f0000 | 0xf472103fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f472110000 | 0xf472110000 | 0xf47218ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f472190000 | 0xf472190000 | 0xf472193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f4721a0000 | 0xf4721a0000 | 0xf4721a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f4721b0000 | 0xf4721b0000 | 0xf4721b1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xf4721c0000 | 0xf47227dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f472280000 | 0xf472280000 | 0xf4722fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f472300000 | 0xf472300000 | 0xf472306fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xf472310000 | 0xf472312fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000f472330000 | 0xf472330000 | 0xf47233ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0xf472340000 | 0xf472371fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f472380000 | 0xf472380000 | 0xf47247ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffff0000 | 0x7df5ffff0000 | 0x7ff5fffeffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69bf20000 | 0x7ff69bf20000 | 0x7ff69c01ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69c020000 | 0x7ff69c020000 | 0x7ff69c042fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69c04a000 | 0x7ff69c04a000 | 0x7ff69c04bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c04c000 | 0x7ff69c04c000 | 0x7ff69c04cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c04e000 | 0x7ff69c04e000 | 0x7ff69c04ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc4cea0000 | 0x7ffc4ceb3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xf472310000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #49: net.exe
0
0
| Information | Value |
|---|---|
| ID | #49 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:02:22, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1ccc |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1CD0
0x
1EC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000d99fab0000 | 0xd99fab0000 | 0xd99facffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d99fab0000 | 0xd99fab0000 | 0xd99fabffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000d99fad0000 | 0xd99fad0000 | 0xd99fae3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d99faf0000 | 0xd99faf0000 | 0xd99fb6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d99fb70000 | 0xd99fb70000 | 0xd99fb73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d99fb80000 | 0xd99fb80000 | 0xd99fb80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d99fb90000 | 0xd99fb90000 | 0xd99fb91fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d99fc00000 | 0xd99fc00000 | 0xd99fcfffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xd99fd00000 | 0xd99fdbdfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ffeb0000 | 0x7df5ffeb0000 | 0x7ff5ffeaffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6a40000 | 0x7ff6d6a40000 | 0x7ff6d6b3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6b40000 | 0x7ff6d6b40000 | 0x7ff6d6b62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6b6d000 | 0x7ff6d6b6d000 | 0x7ff6d6b6efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d6b6f000 | 0x7ff6d6b6f000 | 0x7ff6d6b6ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #51: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #51 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:21, Reason: Child Process |
| Unmonitor | End Time: 00:02:22, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1f30 |
| Parent PID | 0x1ccc (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1F34
0x
1FAC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000e4ef260000 | 0xe4ef260000 | 0xe4ef27ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e4ef260000 | 0xe4ef260000 | 0xe4ef26ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000e4ef270000 | 0xe4ef270000 | 0xe4ef276fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e4ef280000 | 0xe4ef280000 | 0xe4ef293fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e4ef2a0000 | 0xe4ef2a0000 | 0xe4ef31ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e4ef320000 | 0xe4ef320000 | 0xe4ef323fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e4ef330000 | 0xe4ef330000 | 0xe4ef330fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e4ef340000 | 0xe4ef340000 | 0xe4ef341fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e4ef350000 | 0xe4ef350000 | 0xe4ef3cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e4ef3d0000 | 0xe4ef3d0000 | 0xe4ef3d6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xe4ef3e0000 | 0xe4ef3e2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000e4ef400000 | 0xe4ef400000 | 0xe4ef4fffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xe4ef500000 | 0xe4ef5bdfff | Memory Mapped File | r |
|
|
|
- |
| netmsg.dll.mui | 0xe4ef5c0000 | 0xe4ef5f1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e4ef720000 | 0xe4ef720000 | 0xe4ef72ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffef0000 | 0x7df5ffef0000 | 0x7ff5ffeeffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69c3c0000 | 0x7ff69c3c0000 | 0x7ff69c4bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69c4c0000 | 0x7ff69c4c0000 | 0x7ff69c4e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69c4eb000 | 0x7ff69c4eb000 | 0x7ff69c4ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c4ec000 | 0x7ff69c4ec000 | 0x7ff69c4edfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c4ee000 | 0x7ff69c4ee000 | 0x7ff69c4effff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50620000 | 0x7ffc50633fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xe4ef3e0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #52: net.exe
0
0
| Information | Value |
|---|---|
| ID | #52 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2098 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
209C
0x
2250
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000033a64c0000 | 0x33a64c0000 | 0x33a64dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000033a64c0000 | 0x33a64c0000 | 0x33a64cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000033a64e0000 | 0x33a64e0000 | 0x33a64f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000033a6500000 | 0x33a6500000 | 0x33a657ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000033a6580000 | 0x33a6580000 | 0x33a6583fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000033a6590000 | 0x33a6590000 | 0x33a6590fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000033a65a0000 | 0x33a65a0000 | 0x33a65a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000033a65c0000 | 0x33a65c0000 | 0x33a66bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x33a66c0000 | 0x33a677dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ffc80000 | 0x7df5ffc80000 | 0x7ff5ffc7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6f40000 | 0x7ff6d6f40000 | 0x7ff6d703ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d7040000 | 0x7ff6d7040000 | 0x7ff6d7062fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d706d000 | 0x7ff6d706d000 | 0x7ff6d706efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d706f000 | 0x7ff6d706f000 | 0x7ff6d706ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #54: net.exe
0
0
| Information | Value |
|---|---|
| ID | #54 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:29, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2260 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2264
0x
EC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000090a3bd0000 | 0x90a3bd0000 | 0x90a3beffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000090a3bd0000 | 0x90a3bd0000 | 0x90a3bdffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000090a3bf0000 | 0x90a3bf0000 | 0x90a3c03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000090a3c10000 | 0x90a3c10000 | 0x90a3c8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000090a3c90000 | 0x90a3c90000 | 0x90a3c93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000090a3ca0000 | 0x90a3ca0000 | 0x90a3ca0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000090a3cb0000 | 0x90a3cb0000 | 0x90a3cb1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x90a3cc0000 | 0x90a3d7dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000090a3e20000 | 0x90a3e20000 | 0x90a3f1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffb40000 | 0x7df5ffb40000 | 0x7ff5ffb3ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6ec0000 | 0x7ff6d6ec0000 | 0x7ff6d6fbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6fc0000 | 0x7ff6d6fc0000 | 0x7ff6d6fe2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6fe6000 | 0x7ff6d6fe6000 | 0x7ff6d6fe6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d6fee000 | 0x7ff6d6fee000 | 0x7ff6d6feffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #56: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #56 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:30, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2300 |
| Parent PID | 0x2098 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2304
0x
EC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000f26b750000 | 0xf26b750000 | 0xf26b76ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f26b750000 | 0xf26b750000 | 0xf26b75ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000f26b760000 | 0xf26b760000 | 0xf26b766fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f26b770000 | 0xf26b770000 | 0xf26b783fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f26b790000 | 0xf26b790000 | 0xf26b80ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f26b810000 | 0xf26b810000 | 0xf26b813fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f26b820000 | 0xf26b820000 | 0xf26b820fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f26b830000 | 0xf26b830000 | 0xf26b831fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xf26b840000 | 0xf26b8fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f26b900000 | 0xf26b900000 | 0xf26b97ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f26b980000 | 0xf26b980000 | 0xf26b986fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xf26b990000 | 0xf26b992fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0xf26b9a0000 | 0xf26b9d1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f26ba10000 | 0xf26ba10000 | 0xf26bb0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f26bc00000 | 0xf26bc00000 | 0xf26bc0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff970000 | 0x7df5ff970000 | 0x7ff5ff96ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69be80000 | 0x7ff69be80000 | 0x7ff69bf7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69bf80000 | 0x7ff69bf80000 | 0x7ff69bfa2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69bfab000 | 0x7ff69bfab000 | 0x7ff69bfacfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bfad000 | 0x7ff69bfad000 | 0x7ff69bfaefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bfaf000 | 0x7ff69bfaf000 | 0x7ff69bfaffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xf26b990000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #57: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #57 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:33, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x245c |
| Parent PID | 0x2260 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2460
0x
24B4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000069238a0000 | 0x69238a0000 | 0x69238bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000069238a0000 | 0x69238a0000 | 0x69238affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000069238b0000 | 0x69238b0000 | 0x69238b6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000069238c0000 | 0x69238c0000 | 0x69238d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000069238e0000 | 0x69238e0000 | 0x692395ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006923960000 | 0x6923960000 | 0x6923963fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000006923970000 | 0x6923970000 | 0x6923970fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006923980000 | 0x6923980000 | 0x6923981fff | Private Memory | rw |
|
|
|
- |
| private_0x0000006923990000 | 0x6923990000 | 0x6923996fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x69239a0000 | 0x69239a2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000069239b0000 | 0x69239b0000 | 0x6923aaffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x6923ab0000 | 0x6923b6dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000006923b70000 | 0x6923b70000 | 0x6923beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006923c20000 | 0x6923c20000 | 0x6923c2ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x6923c30000 | 0x6923c61fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff4f0000 | 0x7df5ff4f0000 | 0x7ff5ff4effff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69b660000 | 0x7ff69b660000 | 0x7ff69b75ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69b760000 | 0x7ff69b760000 | 0x7ff69b782fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69b78a000 | 0x7ff69b78a000 | 0x7ff69b78bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69b78c000 | 0x7ff69b78c000 | 0x7ff69b78dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69b78e000 | 0x7ff69b78e000 | 0x7ff69b78efff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x69239a0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #58: net.exe
0
0
| Information | Value |
|---|---|
| ID | #58 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x25dc |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
25E0
0x
25F8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000058cdc10000 | 0x58cdc10000 | 0x58cdc2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000058cdc10000 | 0x58cdc10000 | 0x58cdc1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000058cdc30000 | 0x58cdc30000 | 0x58cdc43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000058cdc50000 | 0x58cdc50000 | 0x58cdccffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000058cdcd0000 | 0x58cdcd0000 | 0x58cdcd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000058cdce0000 | 0x58cdce0000 | 0x58cdce0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000058cdcf0000 | 0x58cdcf0000 | 0x58cdcf1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x58cdd00000 | 0x58cddbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000058cdef0000 | 0x58cdef0000 | 0x58cdfeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff0b0000 | 0x7df5ff0b0000 | 0x7ff5ff0affff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d71c0000 | 0x7ff6d71c0000 | 0x7ff6d72bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d72c0000 | 0x7ff6d72c0000 | 0x7ff6d72e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d72ed000 | 0x7ff6d72ed000 | 0x7ff6d72eefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d72ef000 | 0x7ff6d72ef000 | 0x7ff6d72effff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #60: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #60 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:36, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x25fc |
| Parent PID | 0x25dc (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2600
0x
2604
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000487d4c0000 | 0x487d4c0000 | 0x487d4dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000487d4c0000 | 0x487d4c0000 | 0x487d4cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000487d4d0000 | 0x487d4d0000 | 0x487d4d6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000487d4e0000 | 0x487d4e0000 | 0x487d4f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000487d500000 | 0x487d500000 | 0x487d57ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000487d580000 | 0x487d580000 | 0x487d583fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000487d590000 | 0x487d590000 | 0x487d590fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000487d5a0000 | 0x487d5a0000 | 0x487d5a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x487d5b0000 | 0x487d66dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000487d670000 | 0x487d670000 | 0x487d6effff | Private Memory | rw |
|
|
|
- |
| private_0x000000487d6f0000 | 0x487d6f0000 | 0x487d6f6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000487d700000 | 0x487d700000 | 0x487d7fffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x487d800000 | 0x487d802fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x487d810000 | 0x487d841fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000487d9d0000 | 0x487d9d0000 | 0x487d9dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffde0000 | 0x7df5ffde0000 | 0x7ff5ffddffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69c110000 | 0x7ff69c110000 | 0x7ff69c20ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69c210000 | 0x7ff69c210000 | 0x7ff69c232fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69c23b000 | 0x7ff69c23b000 | 0x7ff69c23cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c23d000 | 0x7ff69c23d000 | 0x7ff69c23efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c23f000 | 0x7ff69c23f000 | 0x7ff69c23ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x487d800000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #61: net.exe
0
0
| Information | Value |
|---|---|
| ID | #61 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:40, Reason: Child Process |
| Unmonitor | End Time: 00:02:41, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x26e4 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
26E8
0x
2788
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000005cfd9f0000 | 0x5cfd9f0000 | 0x5cfda0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005cfd9f0000 | 0x5cfd9f0000 | 0x5cfd9fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005cfda10000 | 0x5cfda10000 | 0x5cfda23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005cfda30000 | 0x5cfda30000 | 0x5cfdaaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005cfdab0000 | 0x5cfdab0000 | 0x5cfdab3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005cfdac0000 | 0x5cfdac0000 | 0x5cfdac0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005cfdad0000 | 0x5cfdad0000 | 0x5cfdad1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x5cfdae0000 | 0x5cfdb9dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005cfdcd0000 | 0x5cfdcd0000 | 0x5cfddcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff3a0000 | 0x7df5ff3a0000 | 0x7ff5ff39ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6650000 | 0x7ff6d6650000 | 0x7ff6d674ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6750000 | 0x7ff6d6750000 | 0x7ff6d6772fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d677b000 | 0x7ff6d677b000 | 0x7ff6d677bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d677e000 | 0x7ff6d677e000 | 0x7ff6d677ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #63: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #63 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:41, Reason: Child Process |
| Unmonitor | End Time: 00:02:41, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2794 |
| Parent PID | 0x26e4 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2798
0x
279C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000e994960000 | 0xe994960000 | 0xe99497ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e994960000 | 0xe994960000 | 0xe99496ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000e994970000 | 0xe994970000 | 0xe994976fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e994980000 | 0xe994980000 | 0xe994993fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e9949a0000 | 0xe9949a0000 | 0xe994a1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e994a20000 | 0xe994a20000 | 0xe994a23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e994a30000 | 0xe994a30000 | 0xe994a30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e994a40000 | 0xe994a40000 | 0xe994a41fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xe994a50000 | 0xe994b0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e994b10000 | 0xe994b10000 | 0xe994b16fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xe994b20000 | 0xe994b22fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000e994b50000 | 0xe994b50000 | 0xe994c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e994c50000 | 0xe994c50000 | 0xe994ccffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0xe994cd0000 | 0xe994d01fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e994e50000 | 0xe994e50000 | 0xe994e5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffc00000 | 0x7df5ffc00000 | 0x7ff5ffbfffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69ba80000 | 0x7ff69ba80000 | 0x7ff69bb7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69bb80000 | 0x7ff69bb80000 | 0x7ff69bba2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69bbab000 | 0x7ff69bbab000 | 0x7ff69bbacfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bbad000 | 0x7ff69bbad000 | 0x7ff69bbaefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bbaf000 | 0x7ff69bbaf000 | 0x7ff69bbaffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xe994b20000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #64: net.exe
0
0
| Information | Value |
|---|---|
| ID | #64 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:46, Reason: Child Process |
| Unmonitor | End Time: 00:02:46, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x27d8 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
27DC
0x
27F4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000604cbd0000 | 0x604cbd0000 | 0x604cbeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000604cbd0000 | 0x604cbd0000 | 0x604cbdffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000604cbf0000 | 0x604cbf0000 | 0x604cc03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000604cc10000 | 0x604cc10000 | 0x604cc8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000604cc90000 | 0x604cc90000 | 0x604cc93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000604cca0000 | 0x604cca0000 | 0x604cca0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000604ccb0000 | 0x604ccb0000 | 0x604ccb1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x604ccc0000 | 0x604cd7dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000604ce50000 | 0x604ce50000 | 0x604cf4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff170000 | 0x7df5ff170000 | 0x7ff5ff16ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6e80000 | 0x7ff6d6e80000 | 0x7ff6d6f7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6f80000 | 0x7ff6d6f80000 | 0x7ff6d6fa2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6fad000 | 0x7ff6d6fad000 | 0x7ff6d6faefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d6faf000 | 0x7ff6d6faf000 | 0x7ff6d6faffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #66: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #66 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:46, Reason: Child Process |
| Unmonitor | End Time: 00:02:46, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x27f8 |
| Parent PID | 0x27d8 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
27FC
0x
F28
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000007107ad0000 | 0x7107ad0000 | 0x7107aeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007107ad0000 | 0x7107ad0000 | 0x7107adffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000007107ae0000 | 0x7107ae0000 | 0x7107ae6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007107af0000 | 0x7107af0000 | 0x7107b03fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007107b10000 | 0x7107b10000 | 0x7107b8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007107b90000 | 0x7107b90000 | 0x7107b93fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000007107ba0000 | 0x7107ba0000 | 0x7107ba0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007107bb0000 | 0x7107bb0000 | 0x7107bb1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x7107bc0000 | 0x7107c7dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007107c80000 | 0x7107c80000 | 0x7107cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007107d00000 | 0x7107d00000 | 0x7107d06fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x7107d10000 | 0x7107d12fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x7107d20000 | 0x7107d51fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007107db0000 | 0x7107db0000 | 0x7107eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007108040000 | 0x7108040000 | 0x710804ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffc30000 | 0x7df5ffc30000 | 0x7ff5ffc2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69bed0000 | 0x7ff69bed0000 | 0x7ff69bfcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69bfd0000 | 0x7ff69bfd0000 | 0x7ff69bff2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69bff9000 | 0x7ff69bff9000 | 0x7ff69bff9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bffc000 | 0x7ff69bffc000 | 0x7ff69bffdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bffe000 | 0x7ff69bffe000 | 0x7ff69bffffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x7107d10000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #67: net.exe
0
0
| Information | Value |
|---|---|
| ID | #67 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:52, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2c28 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2C2C
0x
2C44
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000008a29be0000 | 0x8a29be0000 | 0x8a29bfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008a29be0000 | 0x8a29be0000 | 0x8a29beffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000008a29c00000 | 0x8a29c00000 | 0x8a29c13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008a29c20000 | 0x8a29c20000 | 0x8a29c9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008a29ca0000 | 0x8a29ca0000 | 0x8a29ca3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008a29cb0000 | 0x8a29cb0000 | 0x8a29cb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008a29cc0000 | 0x8a29cc0000 | 0x8a29cc1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008a29d50000 | 0x8a29d50000 | 0x8a29e4ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x8a29e50000 | 0x8a29f0dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff880000 | 0x7df5ff880000 | 0x7ff5ff87ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6b30000 | 0x7ff6d6b30000 | 0x7ff6d6c2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6c30000 | 0x7ff6d6c30000 | 0x7ff6d6c52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6c5c000 | 0x7ff6d6c5c000 | 0x7ff6d6c5cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d6c5e000 | 0x7ff6d6c5e000 | 0x7ff6d6c5ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #69: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #69 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:51, Reason: Child Process |
| Unmonitor | End Time: 00:02:52, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2c48 |
| Parent PID | 0x2c28 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2C4C
0x
2C50
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000f81bd20000 | 0xf81bd20000 | 0xf81bd3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f81bd20000 | 0xf81bd20000 | 0xf81bd2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000f81bd30000 | 0xf81bd30000 | 0xf81bd36fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f81bd40000 | 0xf81bd40000 | 0xf81bd53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f81bd60000 | 0xf81bd60000 | 0xf81bddffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f81bde0000 | 0xf81bde0000 | 0xf81bde3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f81bdf0000 | 0xf81bdf0000 | 0xf81bdf0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f81be00000 | 0xf81be00000 | 0xf81be01fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xf81be10000 | 0xf81becdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f81bed0000 | 0xf81bed0000 | 0xf81bf4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f81bf50000 | 0xf81bf50000 | 0xf81bf5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f81bf60000 | 0xf81bf60000 | 0xf81bf66fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xf81bf70000 | 0xf81bf72fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000f81bfb0000 | 0xf81bfb0000 | 0xf81c0affff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0xf81c0b0000 | 0xf81c0e1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff710000 | 0x7df5ff710000 | 0x7ff5ff70ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69ba20000 | 0x7ff69ba20000 | 0x7ff69bb1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69bb20000 | 0x7ff69bb20000 | 0x7ff69bb42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69bb45000 | 0x7ff69bb45000 | 0x7ff69bb45fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bb4c000 | 0x7ff69bb4c000 | 0x7ff69bb4dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bb4e000 | 0x7ff69bb4e000 | 0x7ff69bb4ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xf81bf70000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #70: net.exe
0
0
| Information | Value |
|---|---|
| ID | #70 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:58, Reason: Child Process |
| Unmonitor | End Time: 00:03:05, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3300 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3304
0x
3430
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000004f64d40000 | 0x4f64d40000 | 0x4f64d5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004f64d40000 | 0x4f64d40000 | 0x4f64d4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000004f64d60000 | 0x4f64d60000 | 0x4f64d73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004f64d80000 | 0x4f64d80000 | 0x4f64dfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004f64e00000 | 0x4f64e00000 | 0x4f64e03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004f64e10000 | 0x4f64e10000 | 0x4f64e10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004f64e20000 | 0x4f64e20000 | 0x4f64e21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000004f64ec0000 | 0x4f64ec0000 | 0x4f64fbffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x4f64fc0000 | 0x4f6507dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff280000 | 0x7df5ff280000 | 0x7ff5ff27ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d69d0000 | 0x7ff6d69d0000 | 0x7ff6d6acffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6ad0000 | 0x7ff6d6ad0000 | 0x7ff6d6af2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6af8000 | 0x7ff6d6af8000 | 0x7ff6d6af8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d6afe000 | 0x7ff6d6afe000 | 0x7ff6d6afffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #72: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #72 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:59, Reason: Child Process |
| Unmonitor | End Time: 00:03:03, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3460 |
| Parent PID | 0x3300 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3464
0x
355C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000800cef0000 | 0x800cef0000 | 0x800cf0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000800cef0000 | 0x800cef0000 | 0x800cefffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000800cf00000 | 0x800cf00000 | 0x800cf06fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000800cf10000 | 0x800cf10000 | 0x800cf23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000800cf30000 | 0x800cf30000 | 0x800cfaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000800cfb0000 | 0x800cfb0000 | 0x800cfb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000800cfc0000 | 0x800cfc0000 | 0x800cfc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000800cfd0000 | 0x800cfd0000 | 0x800cfd1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x800cfe0000 | 0x800d09dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000800d0a0000 | 0x800d0a0000 | 0x800d11ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000800d120000 | 0x800d120000 | 0x800d126fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x800d130000 | 0x800d132fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000800d140000 | 0x800d140000 | 0x800d23ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000800d260000 | 0x800d260000 | 0x800d26ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x800d270000 | 0x800d2a1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff720000 | 0x7df5ff720000 | 0x7ff5ff71ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69bef0000 | 0x7ff69bef0000 | 0x7ff69bfeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69bff0000 | 0x7ff69bff0000 | 0x7ff69c012fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69c01a000 | 0x7ff69c01a000 | 0x7ff69c01afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c01c000 | 0x7ff69c01c000 | 0x7ff69c01dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c01e000 | 0x7ff69c01e000 | 0x7ff69c01ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50390000 | 0x7ffc503a3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x800d130000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #73: net.exe
0
0
| Information | Value |
|---|---|
| ID | #73 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:02, Reason: Child Process |
| Unmonitor | End Time: 00:03:08, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3890 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3894
0x
3A20
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000bbb95a0000 | 0xbbb95a0000 | 0xbbb95bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000bbb95a0000 | 0xbbb95a0000 | 0xbbb95affff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000bbb95c0000 | 0xbbb95c0000 | 0xbbb95d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000bbb95e0000 | 0xbbb95e0000 | 0xbbb965ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000bbb9660000 | 0xbbb9660000 | 0xbbb9663fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000bbb9670000 | 0xbbb9670000 | 0xbbb9670fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000bbb9680000 | 0xbbb9680000 | 0xbbb9681fff | Private Memory | rw |
|
|
|
- |
| private_0x000000bbb96e0000 | 0xbbb96e0000 | 0xbbb97dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xbbb97e0000 | 0xbbb989dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff880000 | 0x7df5ff880000 | 0x7ff5ff87ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6280000 | 0x7ff6d6280000 | 0x7ff6d637ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6380000 | 0x7ff6d6380000 | 0x7ff6d63a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d63ad000 | 0x7ff6d63ad000 | 0x7ff6d63adfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d63ae000 | 0x7ff6d63ae000 | 0x7ff6d63affff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #75: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #75 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:04, Reason: Child Process |
| Unmonitor | End Time: 00:03:07, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3a44 |
| Parent PID | 0x3890 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3A48
0x
3B4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000001cac340000 | 0x1cac340000 | 0x1cac35ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001cac340000 | 0x1cac340000 | 0x1cac34ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000001cac350000 | 0x1cac350000 | 0x1cac356fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001cac360000 | 0x1cac360000 | 0x1cac373fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001cac380000 | 0x1cac380000 | 0x1cac3fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001cac400000 | 0x1cac400000 | 0x1cac403fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001cac410000 | 0x1cac410000 | 0x1cac410fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001cac420000 | 0x1cac420000 | 0x1cac421fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x1cac430000 | 0x1cac4edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001cac4f0000 | 0x1cac4f0000 | 0x1cac56ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001cac570000 | 0x1cac570000 | 0x1cac576fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x1cac580000 | 0x1cac582fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000001cac5a0000 | 0x1cac5a0000 | 0x1cac69ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x1cac6a0000 | 0x1cac6d1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001cac750000 | 0x1cac750000 | 0x1cac75ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffe00000 | 0x7df5ffe00000 | 0x7ff5ffdfffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69b710000 | 0x7ff69b710000 | 0x7ff69b80ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69b810000 | 0x7ff69b810000 | 0x7ff69b832fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69b83a000 | 0x7ff69b83a000 | 0x7ff69b83bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69b83c000 | 0x7ff69b83c000 | 0x7ff69b83dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69b83e000 | 0x7ff69b83e000 | 0x7ff69b83efff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50390000 | 0x7ffc503a3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x1cac580000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #76: net.exe
0
0
| Information | Value |
|---|---|
| ID | #76 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:08, Reason: Child Process |
| Unmonitor | End Time: 00:03:16, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x44dc |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
44E0
0x
476C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000ca980f0000 | 0xca980f0000 | 0xca9810ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ca980f0000 | 0xca980f0000 | 0xca980fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ca98110000 | 0xca98110000 | 0xca98123fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ca98130000 | 0xca98130000 | 0xca981affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ca981b0000 | 0xca981b0000 | 0xca981b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ca981c0000 | 0xca981c0000 | 0xca981c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ca981d0000 | 0xca981d0000 | 0xca981d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xca981e0000 | 0xca9829dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ca98330000 | 0xca98330000 | 0xca9842ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff060000 | 0x7df5ff060000 | 0x7ff5ff05ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6330000 | 0x7ff6d6330000 | 0x7ff6d642ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6430000 | 0x7ff6d6430000 | 0x7ff6d6452fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6459000 | 0x7ff6d6459000 | 0x7ff6d6459fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d645e000 | 0x7ff6d645e000 | 0x7ff6d645ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #78: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #78 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:11, Reason: Child Process |
| Unmonitor | End Time: 00:03:16, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x47dc |
| Parent PID | 0x44dc (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
47E0
0x
48A0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000000656240000 | 0x656240000 | 0x65625ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000656240000 | 0x656240000 | 0x65624ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000656250000 | 0x656250000 | 0x656256fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000656260000 | 0x656260000 | 0x656273fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000656280000 | 0x656280000 | 0x6562fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000656300000 | 0x656300000 | 0x656303fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000656310000 | 0x656310000 | 0x656310fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000656320000 | 0x656320000 | 0x656321fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x656330000 | 0x6563edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000006563f0000 | 0x6563f0000 | 0x65646ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000656470000 | 0x656470000 | 0x656476fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000656480000 | 0x656480000 | 0x65648ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000656490000 | 0x656490000 | 0x65658ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x656590000 | 0x656592fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x6565a0000 | 0x6565d1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff5a0000 | 0x7df5ff5a0000 | 0x7ff5ff59ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69c2e0000 | 0x7ff69c2e0000 | 0x7ff69c3dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69c3e0000 | 0x7ff69c3e0000 | 0x7ff69c402fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69c40a000 | 0x7ff69c40a000 | 0x7ff69c40afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c40c000 | 0x7ff69c40c000 | 0x7ff69c40dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c40e000 | 0x7ff69c40e000 | 0x7ff69c40ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50390000 | 0x7ffc503a3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x656590000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #79: net.exe
0
0
| Information | Value |
|---|---|
| ID | #79 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:12, Reason: Child Process |
| Unmonitor | End Time: 00:03:16, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4b08 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4B0C
0x
4E38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000030d0d90000 | 0x30d0d90000 | 0x30d0daffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000030d0d90000 | 0x30d0d90000 | 0x30d0d9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000030d0db0000 | 0x30d0db0000 | 0x30d0dc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000030d0dd0000 | 0x30d0dd0000 | 0x30d0e4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000030d0e50000 | 0x30d0e50000 | 0x30d0e53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000030d0e60000 | 0x30d0e60000 | 0x30d0e60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000030d0e70000 | 0x30d0e70000 | 0x30d0e71fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x30d0e80000 | 0x30d0f3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000030d0ff0000 | 0x30d0ff0000 | 0x30d10effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff010000 | 0x7df5ff010000 | 0x7ff5ff00ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6970000 | 0x7ff6d6970000 | 0x7ff6d6a6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6a70000 | 0x7ff6d6a70000 | 0x7ff6d6a92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6a9d000 | 0x7ff6d6a9d000 | 0x7ff6d6a9efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d6a9f000 | 0x7ff6d6a9f000 | 0x7ff6d6a9ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #81: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #81 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:16, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4f38 |
| Parent PID | 0x4b08 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4F3C
0x
4F6C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000092ea080000 | 0x92ea080000 | 0x92ea09ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000092ea080000 | 0x92ea080000 | 0x92ea08ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000092ea090000 | 0x92ea090000 | 0x92ea096fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000092ea0a0000 | 0x92ea0a0000 | 0x92ea0b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000092ea0c0000 | 0x92ea0c0000 | 0x92ea13ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000092ea140000 | 0x92ea140000 | 0x92ea143fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000092ea150000 | 0x92ea150000 | 0x92ea150fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000092ea160000 | 0x92ea160000 | 0x92ea161fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x92ea170000 | 0x92ea22dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000092ea230000 | 0x92ea230000 | 0x92ea236fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x92ea240000 | 0x92ea242fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000092ea270000 | 0x92ea270000 | 0x92ea36ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000092ea370000 | 0x92ea370000 | 0x92ea3effff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x92ea3f0000 | 0x92ea421fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000092ea5c0000 | 0x92ea5c0000 | 0x92ea5cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff570000 | 0x7df5ff570000 | 0x7ff5ff56ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69c190000 | 0x7ff69c190000 | 0x7ff69c28ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69c290000 | 0x7ff69c290000 | 0x7ff69c2b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69c2b4000 | 0x7ff69c2b4000 | 0x7ff69c2b4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c2bc000 | 0x7ff69c2bc000 | 0x7ff69c2bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c2be000 | 0x7ff69c2be000 | 0x7ff69c2bffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50390000 | 0x7ffc503a3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x92ea240000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #82: net.exe
0
0
| Information | Value |
|---|---|
| ID | #82 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:19, Reason: Child Process |
| Unmonitor | End Time: 00:03:20, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x558c |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5590
0x
55AC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000006021df0000 | 0x6021df0000 | 0x6021e0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006021df0000 | 0x6021df0000 | 0x6021dfffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000006021e10000 | 0x6021e10000 | 0x6021e23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006021e30000 | 0x6021e30000 | 0x6021eaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006021eb0000 | 0x6021eb0000 | 0x6021eb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000006021ec0000 | 0x6021ec0000 | 0x6021ec0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006021ed0000 | 0x6021ed0000 | 0x6021ed1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x6021ee0000 | 0x6021f9dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000006021ff0000 | 0x6021ff0000 | 0x60220effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffaf0000 | 0x7df5ffaf0000 | 0x7ff5ffaeffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6a50000 | 0x7ff6d6a50000 | 0x7ff6d6b4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6b50000 | 0x7ff6d6b50000 | 0x7ff6d6b72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6b7c000 | 0x7ff6d6b7c000 | 0x7ff6d6b7cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d6b7e000 | 0x7ff6d6b7e000 | 0x7ff6d6b7ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #84: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #84 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:19, Reason: Child Process |
| Unmonitor | End Time: 00:03:20, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x55b0 |
| Parent PID | 0x558c (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
55B4
0x
55B8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000b84d9f0000 | 0xb84d9f0000 | 0xb84da0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b84d9f0000 | 0xb84d9f0000 | 0xb84d9fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b84da00000 | 0xb84da00000 | 0xb84da06fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b84da10000 | 0xb84da10000 | 0xb84da23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b84da30000 | 0xb84da30000 | 0xb84daaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b84dab0000 | 0xb84dab0000 | 0xb84dab3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b84dac0000 | 0xb84dac0000 | 0xb84dac0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b84dad0000 | 0xb84dad0000 | 0xb84dad1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b84dae0000 | 0xb84dae0000 | 0xb84dae6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xb84daf0000 | 0xb84daf2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000b84db30000 | 0xb84db30000 | 0xb84db3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b84db50000 | 0xb84db50000 | 0xb84dc4ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xb84dc50000 | 0xb84dd0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b84dd10000 | 0xb84dd10000 | 0xb84dd8ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0xb84dd90000 | 0xb84ddc1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ffff0000 | 0x7df5ffff0000 | 0x7ff5fffeffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69c3d0000 | 0x7ff69c3d0000 | 0x7ff69c4cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69c4d0000 | 0x7ff69c4d0000 | 0x7ff69c4f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69c4fa000 | 0x7ff69c4fa000 | 0x7ff69c4fbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c4fc000 | 0x7ff69c4fc000 | 0x7ff69c4fcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c4fe000 | 0x7ff69c4fe000 | 0x7ff69c4fffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50390000 | 0x7ffc503a3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xb84daf0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #85: net.exe
0
0
| Information | Value |
|---|---|
| ID | #85 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:22, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x55cc |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
55D0
0x
55E8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000d916890000 | 0xd916890000 | 0xd9168affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d916890000 | 0xd916890000 | 0xd91689ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000d9168b0000 | 0xd9168b0000 | 0xd9168c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d9168d0000 | 0xd9168d0000 | 0xd91694ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d916950000 | 0xd916950000 | 0xd916953fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d916960000 | 0xd916960000 | 0xd916960fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d916970000 | 0xd916970000 | 0xd916971fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xd916980000 | 0xd916a3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d916a40000 | 0xd916a40000 | 0xd916b3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff420000 | 0x7df5ff420000 | 0x7ff5ff41ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6a90000 | 0x7ff6d6a90000 | 0x7ff6d6b8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6b90000 | 0x7ff6d6b90000 | 0x7ff6d6bb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6bb7000 | 0x7ff6d6bb7000 | 0x7ff6d6bb7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d6bbe000 | 0x7ff6d6bbe000 | 0x7ff6d6bbffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #87: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #87 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:23, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x55ec |
| Parent PID | 0x55cc (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
55F0
0x
55F4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000098708a0000 | 0x98708a0000 | 0x98708bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000098708a0000 | 0x98708a0000 | 0x98708affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000098708b0000 | 0x98708b0000 | 0x98708b6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000098708c0000 | 0x98708c0000 | 0x98708d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000098708e0000 | 0x98708e0000 | 0x987095ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000009870960000 | 0x9870960000 | 0x9870963fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000009870970000 | 0x9870970000 | 0x9870970fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000009870980000 | 0x9870980000 | 0x9870981fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x9870990000 | 0x9870a4dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000009870a50000 | 0x9870a50000 | 0x9870acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000009870ad0000 | 0x9870ad0000 | 0x9870ad6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x9870ae0000 | 0x9870ae2fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x9870af0000 | 0x9870b21fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000009870b40000 | 0x9870b40000 | 0x9870c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000009870dc0000 | 0x9870dc0000 | 0x9870dcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffb40000 | 0x7df5ffb40000 | 0x7ff5ffb3ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69c240000 | 0x7ff69c240000 | 0x7ff69c33ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69c340000 | 0x7ff69c340000 | 0x7ff69c362fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69c363000 | 0x7ff69c363000 | 0x7ff69c363fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c36c000 | 0x7ff69c36c000 | 0x7ff69c36dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c36e000 | 0x7ff69c36e000 | 0x7ff69c36ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50390000 | 0x7ffc503a3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x9870ae0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #88: net.exe
0
0
| Information | Value |
|---|---|
| ID | #88 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:29, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5918 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
591C
0x
5938
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000e41e3e0000 | 0xe41e3e0000 | 0xe41e3fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e41e3e0000 | 0xe41e3e0000 | 0xe41e3effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000e41e400000 | 0xe41e400000 | 0xe41e413fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e41e420000 | 0xe41e420000 | 0xe41e49ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e41e4a0000 | 0xe41e4a0000 | 0xe41e4a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e41e4b0000 | 0xe41e4b0000 | 0xe41e4b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e41e4c0000 | 0xe41e4c0000 | 0xe41e4c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xe41e4d0000 | 0xe41e58dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e41e630000 | 0xe41e630000 | 0xe41e72ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff9c0000 | 0x7df5ff9c0000 | 0x7ff5ff9bffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d67a0000 | 0x7ff6d67a0000 | 0x7ff6d689ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d68a0000 | 0x7ff6d68a0000 | 0x7ff6d68c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d68cc000 | 0x7ff6d68cc000 | 0x7ff6d68ccfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d68ce000 | 0x7ff6d68ce000 | 0x7ff6d68cffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #90: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #90 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:30, Reason: Child Process |
| Unmonitor | End Time: 00:03:31, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x59d8 |
| Parent PID | 0x5918 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
59DC
0x
5A88
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000070d3b30000 | 0x70d3b30000 | 0x70d3b4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000070d3b30000 | 0x70d3b30000 | 0x70d3b3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000070d3b40000 | 0x70d3b40000 | 0x70d3b46fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000070d3b50000 | 0x70d3b50000 | 0x70d3b63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000070d3b70000 | 0x70d3b70000 | 0x70d3beffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000070d3bf0000 | 0x70d3bf0000 | 0x70d3bf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000070d3c00000 | 0x70d3c00000 | 0x70d3c00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000070d3c10000 | 0x70d3c10000 | 0x70d3c11fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x70d3c20000 | 0x70d3cddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000070d3ce0000 | 0x70d3ce0000 | 0x70d3ce6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x70d3cf0000 | 0x70d3cf2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000070d3d30000 | 0x70d3d30000 | 0x70d3d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000070d3d40000 | 0x70d3d40000 | 0x70d3e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000070d3e40000 | 0x70d3e40000 | 0x70d3ebffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x70d3ec0000 | 0x70d3ef1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff930000 | 0x7df5ff930000 | 0x7ff5ff92ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69b780000 | 0x7ff69b780000 | 0x7ff69b87ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69b880000 | 0x7ff69b880000 | 0x7ff69b8a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69b8aa000 | 0x7ff69b8aa000 | 0x7ff69b8aafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69b8ac000 | 0x7ff69b8ac000 | 0x7ff69b8adfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69b8ae000 | 0x7ff69b8ae000 | 0x7ff69b8affff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50390000 | 0x7ffc503a3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x70d3cf0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #91: net.exe
0
0
| Information | Value |
|---|---|
| ID | #91 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:33, Reason: Child Process |
| Unmonitor | End Time: 00:03:34, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5aa0 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5AA4
0x
5ABC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000006260720000 | 0x6260720000 | 0x626073ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006260720000 | 0x6260720000 | 0x626072ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000006260740000 | 0x6260740000 | 0x6260753fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006260760000 | 0x6260760000 | 0x62607dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000062607e0000 | 0x62607e0000 | 0x62607e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000062607f0000 | 0x62607f0000 | 0x62607f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006260800000 | 0x6260800000 | 0x6260801fff | Private Memory | rw |
|
|
|
- |
| private_0x0000006260890000 | 0x6260890000 | 0x626098ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x6260990000 | 0x6260a4dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff520000 | 0x7df5ff520000 | 0x7ff5ff51ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6750000 | 0x7ff6d6750000 | 0x7ff6d684ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6850000 | 0x7ff6d6850000 | 0x7ff6d6872fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6879000 | 0x7ff6d6879000 | 0x7ff6d6879fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d687e000 | 0x7ff6d687e000 | 0x7ff6d687ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #93: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #93 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:33, Reason: Child Process |
| Unmonitor | End Time: 00:03:34, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5ac4 |
| Parent PID | 0x5aa0 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5AC8
0x
5AD0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000ac440b0000 | 0xac440b0000 | 0xac440cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ac440b0000 | 0xac440b0000 | 0xac440bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ac440c0000 | 0xac440c0000 | 0xac440c6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ac440d0000 | 0xac440d0000 | 0xac440e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ac440f0000 | 0xac440f0000 | 0xac4416ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ac44170000 | 0xac44170000 | 0xac44173fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ac44180000 | 0xac44180000 | 0xac44180fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ac44190000 | 0xac44190000 | 0xac44191fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xac441a0000 | 0xac4425dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ac44260000 | 0xac44260000 | 0xac442dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ac442e0000 | 0xac442e0000 | 0xac442e6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xac442f0000 | 0xac442f2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000ac44300000 | 0xac44300000 | 0xac443fffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0xac44400000 | 0xac44431fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ac44590000 | 0xac44590000 | 0xac4459ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff050000 | 0x7df5ff050000 | 0x7ff5ff04ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69bbe0000 | 0x7ff69bbe0000 | 0x7ff69bcdffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69bce0000 | 0x7ff69bce0000 | 0x7ff69bd02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69bd06000 | 0x7ff69bd06000 | 0x7ff69bd06fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bd0c000 | 0x7ff69bd0c000 | 0x7ff69bd0dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bd0e000 | 0x7ff69bd0e000 | 0x7ff69bd0ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50390000 | 0x7ffc503a3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xac442f0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #94: net.exe
0
0
| Information | Value |
|---|---|
| ID | #94 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:40, Reason: Child Process |
| Unmonitor | End Time: 00:03:43, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5cc4 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5CC8
0x
5D10
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000173d290000 | 0x173d290000 | 0x173d2affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000173d290000 | 0x173d290000 | 0x173d29ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000173d2b0000 | 0x173d2b0000 | 0x173d2c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000173d2d0000 | 0x173d2d0000 | 0x173d34ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000173d350000 | 0x173d350000 | 0x173d353fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000173d360000 | 0x173d360000 | 0x173d360fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000173d370000 | 0x173d370000 | 0x173d371fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x173d380000 | 0x173d43dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000173d470000 | 0x173d470000 | 0x173d56ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5fffa0000 | 0x7df5fffa0000 | 0x7ff5fff9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6fc0000 | 0x7ff6d6fc0000 | 0x7ff6d70bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d70c0000 | 0x7ff6d70c0000 | 0x7ff6d70e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d70ed000 | 0x7ff6d70ed000 | 0x7ff6d70eefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d70ef000 | 0x7ff6d70ef000 | 0x7ff6d70effff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #96: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #96 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:41, Reason: Child Process |
| Unmonitor | End Time: 00:03:42, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5d14 |
| Parent PID | 0x5cc4 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5D18
0x
5D24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000007931e40000 | 0x7931e40000 | 0x7931e5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007931e40000 | 0x7931e40000 | 0x7931e4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000007931e50000 | 0x7931e50000 | 0x7931e56fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007931e60000 | 0x7931e60000 | 0x7931e73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007931e80000 | 0x7931e80000 | 0x7931efffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007931f00000 | 0x7931f00000 | 0x7931f03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000007931f10000 | 0x7931f10000 | 0x7931f10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007931f20000 | 0x7931f20000 | 0x7931f21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000007931f30000 | 0x7931f30000 | 0x7931f36fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x7931f40000 | 0x7931f42fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000007931f80000 | 0x7931f80000 | 0x793207ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x7932080000 | 0x793213dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007932140000 | 0x7932140000 | 0x79321bffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x79321c0000 | 0x79321f1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007932370000 | 0x7932370000 | 0x793237ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffff0000 | 0x7df5ffff0000 | 0x7ff5fffeffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69bb50000 | 0x7ff69bb50000 | 0x7ff69bc4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69bc50000 | 0x7ff69bc50000 | 0x7ff69bc72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69bc7a000 | 0x7ff69bc7a000 | 0x7ff69bc7bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bc7c000 | 0x7ff69bc7c000 | 0x7ff69bc7dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bc7e000 | 0x7ff69bc7e000 | 0x7ff69bc7efff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50390000 | 0x7ffc503a3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x7931f40000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #97: net.exe
0
0
| Information | Value |
|---|---|
| ID | #97 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:43, Reason: Child Process |
| Unmonitor | End Time: 00:03:44, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5eb8 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5EBC
0x
5ED4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000004817c00000 | 0x4817c00000 | 0x4817c1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004817c00000 | 0x4817c00000 | 0x4817c0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000004817c20000 | 0x4817c20000 | 0x4817c33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004817c40000 | 0x4817c40000 | 0x4817cbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004817cc0000 | 0x4817cc0000 | 0x4817cc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004817cd0000 | 0x4817cd0000 | 0x4817cd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004817ce0000 | 0x4817ce0000 | 0x4817ce1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x4817cf0000 | 0x4817dadfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004817ed0000 | 0x4817ed0000 | 0x4817fcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff6f0000 | 0x7df5ff6f0000 | 0x7ff5ff6effff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6d90000 | 0x7ff6d6d90000 | 0x7ff6d6e8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6e90000 | 0x7ff6d6e90000 | 0x7ff6d6eb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6eb5000 | 0x7ff6d6eb5000 | 0x7ff6d6eb5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d6ebe000 | 0x7ff6d6ebe000 | 0x7ff6d6ebffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #99: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #99 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:44, Reason: Child Process |
| Unmonitor | End Time: 00:03:44, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5ef4 |
| Parent PID | 0x5eb8 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5EF8
0x
5F04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000002d01bb0000 | 0x2d01bb0000 | 0x2d01bcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002d01bb0000 | 0x2d01bb0000 | 0x2d01bbffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000002d01bc0000 | 0x2d01bc0000 | 0x2d01bc6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002d01bd0000 | 0x2d01bd0000 | 0x2d01be3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002d01bf0000 | 0x2d01bf0000 | 0x2d01c6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002d01c70000 | 0x2d01c70000 | 0x2d01c73fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000002d01c80000 | 0x2d01c80000 | 0x2d01c80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002d01c90000 | 0x2d01c90000 | 0x2d01c91fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x2d01ca0000 | 0x2d01d5dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000002d01d60000 | 0x2d01d60000 | 0x2d01e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002d01e60000 | 0x2d01e60000 | 0x2d01edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000002d01ee0000 | 0x2d01ee0000 | 0x2d01ee6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x2d01ef0000 | 0x2d01ef2fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x2d01f00000 | 0x2d01f31fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000002d02030000 | 0x2d02030000 | 0x2d0203ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff190000 | 0x7df5ff190000 | 0x7ff5ff18ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69c290000 | 0x7ff69c290000 | 0x7ff69c38ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69c390000 | 0x7ff69c390000 | 0x7ff69c3b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69c3bb000 | 0x7ff69c3bb000 | 0x7ff69c3bcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c3bd000 | 0x7ff69c3bd000 | 0x7ff69c3befff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c3bf000 | 0x7ff69c3bf000 | 0x7ff69c3bffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50390000 | 0x7ffc503a3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x2d01ef0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #100: net.exe
0
0
| Information | Value |
|---|---|
| ID | #100 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:50, Reason: Child Process |
| Unmonitor | End Time: 00:03:51, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6080 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6084
0x
60A4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000a6e28f0000 | 0xa6e28f0000 | 0xa6e290ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a6e28f0000 | 0xa6e28f0000 | 0xa6e28fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a6e2910000 | 0xa6e2910000 | 0xa6e2923fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a6e2930000 | 0xa6e2930000 | 0xa6e29affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a6e29b0000 | 0xa6e29b0000 | 0xa6e29b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a6e29c0000 | 0xa6e29c0000 | 0xa6e29c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a6e29d0000 | 0xa6e29d0000 | 0xa6e29d1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a6e2a50000 | 0xa6e2a50000 | 0xa6e2b4ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xa6e2b50000 | 0xa6e2c0dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ffa90000 | 0x7df5ffa90000 | 0x7ff5ffa8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6530000 | 0x7ff6d6530000 | 0x7ff6d662ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6630000 | 0x7ff6d6630000 | 0x7ff6d6652fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d665d000 | 0x7ff6d665d000 | 0x7ff6d665dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d665e000 | 0x7ff6d665e000 | 0x7ff6d665ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #102: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #102 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:51, Reason: Child Process |
| Unmonitor | End Time: 00:03:52, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x60a8 |
| Parent PID | 0x6080 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
60AC
0x
60B0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000b9ae5f0000 | 0xb9ae5f0000 | 0xb9ae60ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b9ae5f0000 | 0xb9ae5f0000 | 0xb9ae5fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b9ae600000 | 0xb9ae600000 | 0xb9ae606fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b9ae610000 | 0xb9ae610000 | 0xb9ae623fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b9ae630000 | 0xb9ae630000 | 0xb9ae6affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b9ae6b0000 | 0xb9ae6b0000 | 0xb9ae6b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b9ae6c0000 | 0xb9ae6c0000 | 0xb9ae6c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b9ae6d0000 | 0xb9ae6d0000 | 0xb9ae6d1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b9ae6e0000 | 0xb9ae6e0000 | 0xb9ae7dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xb9ae7e0000 | 0xb9ae89dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b9ae8a0000 | 0xb9ae8a0000 | 0xb9ae91ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b9ae920000 | 0xb9ae920000 | 0xb9ae926fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xb9ae930000 | 0xb9ae932fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0xb9ae940000 | 0xb9ae971fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b9aeb00000 | 0xb9aeb00000 | 0xb9aeb0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff250000 | 0x7df5ff250000 | 0x7ff5ff24ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69bbb0000 | 0x7ff69bbb0000 | 0x7ff69bcaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69bcb0000 | 0x7ff69bcb0000 | 0x7ff69bcd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69bcda000 | 0x7ff69bcda000 | 0x7ff69bcdafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bcdc000 | 0x7ff69bcdc000 | 0x7ff69bcddfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bcde000 | 0x7ff69bcde000 | 0x7ff69bcdffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50390000 | 0x7ffc503a3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xb9ae930000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #103: net.exe
0
0
| Information | Value |
|---|---|
| ID | #103 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:54, Reason: Child Process |
| Unmonitor | End Time: 00:03:56, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x645c |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6460
0x
65FC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000e492ef0000 | 0xe492ef0000 | 0xe492f0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e492ef0000 | 0xe492ef0000 | 0xe492efffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000e492f10000 | 0xe492f10000 | 0xe492f23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e492f30000 | 0xe492f30000 | 0xe492faffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e492fb0000 | 0xe492fb0000 | 0xe492fb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e492fc0000 | 0xe492fc0000 | 0xe492fc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e492fd0000 | 0xe492fd0000 | 0xe492fd1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xe492fe0000 | 0xe49309dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e493100000 | 0xe493100000 | 0xe4931fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff820000 | 0x7df5ff820000 | 0x7ff5ff81ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6ef0000 | 0x7ff6d6ef0000 | 0x7ff6d6feffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6ff0000 | 0x7ff6d6ff0000 | 0x7ff6d7012fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d701d000 | 0x7ff6d701d000 | 0x7ff6d701dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d701e000 | 0x7ff6d701e000 | 0x7ff6d701ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #105: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #105 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:55, Reason: Child Process |
| Unmonitor | End Time: 00:03:56, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6600 |
| Parent PID | 0x645c (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6604
0x
6608
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000b591ca0000 | 0xb591ca0000 | 0xb591cbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b591ca0000 | 0xb591ca0000 | 0xb591caffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b591cb0000 | 0xb591cb0000 | 0xb591cb6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b591cc0000 | 0xb591cc0000 | 0xb591cd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b591ce0000 | 0xb591ce0000 | 0xb591d5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b591d60000 | 0xb591d60000 | 0xb591d63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b591d70000 | 0xb591d70000 | 0xb591d70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b591d80000 | 0xb591d80000 | 0xb591d81fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b591d90000 | 0xb591d90000 | 0xb591d96fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xb591da0000 | 0xb591da2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000b591db0000 | 0xb591db0000 | 0xb591dbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b591dc0000 | 0xb591dc0000 | 0xb591ebffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xb591ec0000 | 0xb591f7dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b591f80000 | 0xb591f80000 | 0xb591ffffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0xb592000000 | 0xb592031fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff280000 | 0x7df5ff280000 | 0x7ff5ff27ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69c510000 | 0x7ff69c510000 | 0x7ff69c60ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69c610000 | 0x7ff69c610000 | 0x7ff69c632fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69c63b000 | 0x7ff69c63b000 | 0x7ff69c63cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c63d000 | 0x7ff69c63d000 | 0x7ff69c63efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c63f000 | 0x7ff69c63f000 | 0x7ff69c63ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50390000 | 0x7ffc503a3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xb591da0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #106: net.exe
0
0
| Information | Value |
|---|---|
| ID | #106 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:01, Reason: Child Process |
| Unmonitor | End Time: 00:04:03, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x675c |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6760
0x
67D4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000007ee9030000 | 0x7ee9030000 | 0x7ee904ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007ee9030000 | 0x7ee9030000 | 0x7ee903ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000007ee9050000 | 0x7ee9050000 | 0x7ee9063fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007ee9070000 | 0x7ee9070000 | 0x7ee90effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007ee90f0000 | 0x7ee90f0000 | 0x7ee90f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000007ee9100000 | 0x7ee9100000 | 0x7ee9100fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007ee9110000 | 0x7ee9110000 | 0x7ee9111fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x7ee9120000 | 0x7ee91ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007ee92f0000 | 0x7ee92f0000 | 0x7ee93effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffdc0000 | 0x7df5ffdc0000 | 0x7ff5ffdbffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d71d0000 | 0x7ff6d71d0000 | 0x7ff6d72cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d72d0000 | 0x7ff6d72d0000 | 0x7ff6d72f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d72fc000 | 0x7ff6d72fc000 | 0x7ff6d72fdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d72fe000 | 0x7ff6d72fe000 | 0x7ff6d72fefff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #108: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #108 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:02, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x67d8 |
| Parent PID | 0x675c (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
67DC
0x
67E0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000011c8bf0000 | 0x11c8bf0000 | 0x11c8c0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000011c8bf0000 | 0x11c8bf0000 | 0x11c8bfffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000011c8c00000 | 0x11c8c00000 | 0x11c8c06fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000011c8c10000 | 0x11c8c10000 | 0x11c8c23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000011c8c30000 | 0x11c8c30000 | 0x11c8caffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000011c8cb0000 | 0x11c8cb0000 | 0x11c8cb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000011c8cc0000 | 0x11c8cc0000 | 0x11c8cc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000011c8cd0000 | 0x11c8cd0000 | 0x11c8cd1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x11c8ce0000 | 0x11c8d9dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000011c8da0000 | 0x11c8da0000 | 0x11c8da6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000011c8db0000 | 0x11c8db0000 | 0x11c8eaffff | Private Memory | rw |
|
|
|
- |
| private_0x00000011c8eb0000 | 0x11c8eb0000 | 0x11c8f2ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x11c8f30000 | 0x11c8f32fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x11c8f40000 | 0x11c8f71fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000011c8fa0000 | 0x11c8fa0000 | 0x11c8faffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffdd0000 | 0x7df5ffdd0000 | 0x7ff5ffdcffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69b6f0000 | 0x7ff69b6f0000 | 0x7ff69b7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69b7f0000 | 0x7ff69b7f0000 | 0x7ff69b812fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69b819000 | 0x7ff69b819000 | 0x7ff69b819fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69b81c000 | 0x7ff69b81c000 | 0x7ff69b81dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69b81e000 | 0x7ff69b81e000 | 0x7ff69b81ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50390000 | 0x7ffc503a3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x11c8f30000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #109: net.exe
0
0
| Information | Value |
|---|---|
| ID | #109 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:04, Reason: Child Process |
| Unmonitor | End Time: 00:04:06, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6814 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6818
0x
687C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000db45a40000 | 0xdb45a40000 | 0xdb45a5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000db45a40000 | 0xdb45a40000 | 0xdb45a4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000db45a60000 | 0xdb45a60000 | 0xdb45a73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000db45a80000 | 0xdb45a80000 | 0xdb45afffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000db45b00000 | 0xdb45b00000 | 0xdb45b03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000db45b10000 | 0xdb45b10000 | 0xdb45b10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000db45b20000 | 0xdb45b20000 | 0xdb45b21fff | Private Memory | rw |
|
|
|
- |
| private_0x000000db45b40000 | 0xdb45b40000 | 0xdb45c3ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xdb45c40000 | 0xdb45cfdfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff010000 | 0x7df5ff010000 | 0x7ff5ff00ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6fb0000 | 0x7ff6d6fb0000 | 0x7ff6d70affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d70b0000 | 0x7ff6d70b0000 | 0x7ff6d70d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d70d9000 | 0x7ff6d70d9000 | 0x7ff6d70d9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d70de000 | 0x7ff6d70de000 | 0x7ff6d70dffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #111: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #111 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:05, Reason: Child Process |
| Unmonitor | End Time: 00:04:06, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x688c |
| Parent PID | 0x6814 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6890
0x
6894
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000097e3ca0000 | 0x97e3ca0000 | 0x97e3cbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000097e3ca0000 | 0x97e3ca0000 | 0x97e3caffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000097e3cb0000 | 0x97e3cb0000 | 0x97e3cb6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000097e3cc0000 | 0x97e3cc0000 | 0x97e3cd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000097e3ce0000 | 0x97e3ce0000 | 0x97e3d5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000097e3d60000 | 0x97e3d60000 | 0x97e3d63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000097e3d70000 | 0x97e3d70000 | 0x97e3d70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000097e3d80000 | 0x97e3d80000 | 0x97e3d81fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x97e3d90000 | 0x97e3e4dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000097e3e50000 | 0x97e3e50000 | 0x97e3e56fff | Private Memory | rw |
|
|
|
- |
| private_0x00000097e3e60000 | 0x97e3e60000 | 0x97e3f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000097e3f60000 | 0x97e3f60000 | 0x97e3fdffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x97e3fe0000 | 0x97e3fe2fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x97e3ff0000 | 0x97e4021fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000097e4040000 | 0x97e4040000 | 0x97e404ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5fff30000 | 0x7df5fff30000 | 0x7ff5fff2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69bdd0000 | 0x7ff69bdd0000 | 0x7ff69becffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69bed0000 | 0x7ff69bed0000 | 0x7ff69bef2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69befb000 | 0x7ff69befb000 | 0x7ff69befcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69befd000 | 0x7ff69befd000 | 0x7ff69befefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69beff000 | 0x7ff69beff000 | 0x7ff69befffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x97e3fe0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #112: net.exe
0
0
| Information | Value |
|---|---|
| ID | #112 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:11, Reason: Child Process |
| Unmonitor | End Time: 00:04:14, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6a6c |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6A70
0x
6AB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000008b2d00000 | 0x8b2d00000 | 0x8b2d1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000008b2d00000 | 0x8b2d00000 | 0x8b2d0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000008b2d20000 | 0x8b2d20000 | 0x8b2d33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000008b2d40000 | 0x8b2d40000 | 0x8b2dbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000008b2dc0000 | 0x8b2dc0000 | 0x8b2dc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000008b2dd0000 | 0x8b2dd0000 | 0x8b2dd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000008b2de0000 | 0x8b2de0000 | 0x8b2de1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000008b2df0000 | 0x8b2df0000 | 0x8b2eeffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x8b2ef0000 | 0x8b2fadfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ffe10000 | 0x7df5ffe10000 | 0x7ff5ffe0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6dc0000 | 0x7ff6d6dc0000 | 0x7ff6d6ebffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6ec0000 | 0x7ff6d6ec0000 | 0x7ff6d6ee2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6eea000 | 0x7ff6d6eea000 | 0x7ff6d6eeafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d6eee000 | 0x7ff6d6eee000 | 0x7ff6d6eeffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #114: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #114 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:13, Reason: Child Process |
| Unmonitor | End Time: 00:04:15, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6acc |
| Parent PID | 0x6a6c (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6AD0
0x
6AD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000003a52b70000 | 0x3a52b70000 | 0x3a52b8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003a52b70000 | 0x3a52b70000 | 0x3a52b7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000003a52b80000 | 0x3a52b80000 | 0x3a52b86fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003a52b90000 | 0x3a52b90000 | 0x3a52ba3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003a52bb0000 | 0x3a52bb0000 | 0x3a52c2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003a52c30000 | 0x3a52c30000 | 0x3a52c33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000003a52c40000 | 0x3a52c40000 | 0x3a52c40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003a52c50000 | 0x3a52c50000 | 0x3a52c51fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003a52c60000 | 0x3a52c60000 | 0x3a52cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003a52ce0000 | 0x3a52ce0000 | 0x3a52ce6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003a52cf0000 | 0x3a52cf0000 | 0x3a52deffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x3a52df0000 | 0x3a52eadfff | Memory Mapped File | r |
|
|
|
- |
| netmsg.dll | 0x3a52eb0000 | 0x3a52eb2fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x3a52ec0000 | 0x3a52ef1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003a53070000 | 0x3a53070000 | 0x3a5307ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffda0000 | 0x7df5ffda0000 | 0x7ff5ffd9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69b860000 | 0x7ff69b860000 | 0x7ff69b95ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69b960000 | 0x7ff69b960000 | 0x7ff69b982fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69b98b000 | 0x7ff69b98b000 | 0x7ff69b98cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69b98d000 | 0x7ff69b98d000 | 0x7ff69b98efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69b98f000 | 0x7ff69b98f000 | 0x7ff69b98ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x3a52eb0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #115: net.exe
0
0
| Information | Value |
|---|---|
| ID | #115 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:15, Reason: Child Process |
| Unmonitor | End Time: 00:04:18, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6d78 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6D7C
0x
6EEC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000dceae40000 | 0xdceae40000 | 0xdceae5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dceae40000 | 0xdceae40000 | 0xdceae4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000dceae60000 | 0xdceae60000 | 0xdceae73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000dceae80000 | 0xdceae80000 | 0xdceaefffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000dceaf00000 | 0xdceaf00000 | 0xdceaf03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000dceaf10000 | 0xdceaf10000 | 0xdceaf10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000dceaf20000 | 0xdceaf20000 | 0xdceaf21fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xdceaf30000 | 0xdceafedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000dceb0e0000 | 0xdceb0e0000 | 0xdceb1dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff550000 | 0x7df5ff550000 | 0x7ff5ff54ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6fb0000 | 0x7ff6d6fb0000 | 0x7ff6d70affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d70b0000 | 0x7ff6d70b0000 | 0x7ff6d70d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d70dd000 | 0x7ff6d70dd000 | 0x7ff6d70defff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d70df000 | 0x7ff6d70df000 | 0x7ff6d70dffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #117: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #117 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:16, Reason: Child Process |
| Unmonitor | End Time: 00:04:18, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6fdc |
| Parent PID | 0x6d78 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6FE0
0x
6FE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000003681d00000 | 0x3681d00000 | 0x3681d1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003681d00000 | 0x3681d00000 | 0x3681d0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000003681d10000 | 0x3681d10000 | 0x3681d16fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003681d20000 | 0x3681d20000 | 0x3681d33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003681d40000 | 0x3681d40000 | 0x3681dbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003681dc0000 | 0x3681dc0000 | 0x3681dc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000003681dd0000 | 0x3681dd0000 | 0x3681dd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003681de0000 | 0x3681de0000 | 0x3681de1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x3681df0000 | 0x3681eadfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003681eb0000 | 0x3681eb0000 | 0x3681f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003681f30000 | 0x3681f30000 | 0x3681f36fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x3681f40000 | 0x3681f42fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x3681f50000 | 0x3681f81fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003681f90000 | 0x3681f90000 | 0x3681f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003681fc0000 | 0x3681fc0000 | 0x36820bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff030000 | 0x7df5ff030000 | 0x7ff5ff02ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69bcc0000 | 0x7ff69bcc0000 | 0x7ff69bdbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69bdc0000 | 0x7ff69bdc0000 | 0x7ff69bde2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69bde3000 | 0x7ff69bde3000 | 0x7ff69bde3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bdec000 | 0x7ff69bdec000 | 0x7ff69bdedfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bdee000 | 0x7ff69bdee000 | 0x7ff69bdeffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x3681f40000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #118: net.exe
0
0
| Information | Value |
|---|---|
| ID | #118 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:22, Reason: Child Process |
| Unmonitor | End Time: 00:04:23, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7264 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7268
0x
72B8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000b568280000 | 0xb568280000 | 0xb56829ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b568280000 | 0xb568280000 | 0xb56828ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b5682a0000 | 0xb5682a0000 | 0xb5682b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b5682c0000 | 0xb5682c0000 | 0xb56833ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b568340000 | 0xb568340000 | 0xb568343fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b568350000 | 0xb568350000 | 0xb568350fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b568360000 | 0xb568360000 | 0xb568361fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xb568370000 | 0xb56842dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b568480000 | 0xb568480000 | 0xb56857ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff490000 | 0x7df5ff490000 | 0x7ff5ff48ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6600000 | 0x7ff6d6600000 | 0x7ff6d66fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6700000 | 0x7ff6d6700000 | 0x7ff6d6722fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d672d000 | 0x7ff6d672d000 | 0x7ff6d672efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d672f000 | 0x7ff6d672f000 | 0x7ff6d672ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #120: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #120 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:23, Reason: Child Process |
| Unmonitor | End Time: 00:04:23, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x72dc |
| Parent PID | 0x7264 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
72E0
0x
72E4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000005da9d70000 | 0x5da9d70000 | 0x5da9d8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005da9d70000 | 0x5da9d70000 | 0x5da9d7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005da9d80000 | 0x5da9d80000 | 0x5da9d86fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005da9d90000 | 0x5da9d90000 | 0x5da9da3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005da9db0000 | 0x5da9db0000 | 0x5da9e2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005da9e30000 | 0x5da9e30000 | 0x5da9e33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005da9e40000 | 0x5da9e40000 | 0x5da9e40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005da9e50000 | 0x5da9e50000 | 0x5da9e51fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x5da9e60000 | 0x5da9f1dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005da9f20000 | 0x5da9f20000 | 0x5da9f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005da9fa0000 | 0x5da9fa0000 | 0x5da9fa6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000005da9fb0000 | 0x5da9fb0000 | 0x5da9fbffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x5da9fc0000 | 0x5da9fc2fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x5da9fd0000 | 0x5daa001fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005daa030000 | 0x5daa030000 | 0x5daa12ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffb50000 | 0x7df5ffb50000 | 0x7ff5ffb4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69b980000 | 0x7ff69b980000 | 0x7ff69ba7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69ba80000 | 0x7ff69ba80000 | 0x7ff69baa2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69baa8000 | 0x7ff69baa8000 | 0x7ff69baa8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69baac000 | 0x7ff69baac000 | 0x7ff69baadfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69baae000 | 0x7ff69baae000 | 0x7ff69baaffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50390000 | 0x7ffc503a3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x5da9fc0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #121: net.exe
0
0
| Information | Value |
|---|---|
| ID | #121 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:26, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7334 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7338
0x
7350
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000005b67a50000 | 0x5b67a50000 | 0x5b67a6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005b67a50000 | 0x5b67a50000 | 0x5b67a5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000005b67a70000 | 0x5b67a70000 | 0x5b67a83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005b67a90000 | 0x5b67a90000 | 0x5b67b0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005b67b10000 | 0x5b67b10000 | 0x5b67b13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005b67b20000 | 0x5b67b20000 | 0x5b67b20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005b67b30000 | 0x5b67b30000 | 0x5b67b31fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x5b67b40000 | 0x5b67bfdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005b67c80000 | 0x5b67c80000 | 0x5b67d7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff6e0000 | 0x7df5ff6e0000 | 0x7ff5ff6dffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6540000 | 0x7ff6d6540000 | 0x7ff6d663ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6640000 | 0x7ff6d6640000 | 0x7ff6d6662fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d666d000 | 0x7ff6d666d000 | 0x7ff6d666efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d666f000 | 0x7ff6d666f000 | 0x7ff6d666ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #123: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #123 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:26, Reason: Child Process |
| Unmonitor | End Time: 00:04:26, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7354 |
| Parent PID | 0x7334 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7358
0x
735C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000006368340000 | 0x6368340000 | 0x636835ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006368340000 | 0x6368340000 | 0x636834ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000006368350000 | 0x6368350000 | 0x6368356fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006368360000 | 0x6368360000 | 0x6368373fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006368380000 | 0x6368380000 | 0x63683fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006368400000 | 0x6368400000 | 0x6368403fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000006368410000 | 0x6368410000 | 0x6368410fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006368420000 | 0x6368420000 | 0x6368421fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x6368430000 | 0x63684edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000063684f0000 | 0x63684f0000 | 0x63684f6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x6368500000 | 0x6368502fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000006368540000 | 0x6368540000 | 0x636863ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006368640000 | 0x6368640000 | 0x63686bffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x63686c0000 | 0x63686f1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000063688b0000 | 0x63688b0000 | 0x63688bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff050000 | 0x7df5ff050000 | 0x7ff5ff04ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69c090000 | 0x7ff69c090000 | 0x7ff69c18ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69c190000 | 0x7ff69c190000 | 0x7ff69c1b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69c1ba000 | 0x7ff69c1ba000 | 0x7ff69c1bbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c1bc000 | 0x7ff69c1bc000 | 0x7ff69c1bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69c1be000 | 0x7ff69c1be000 | 0x7ff69c1befff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50390000 | 0x7ffc503a3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x6368500000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #124: net.exe
0
0
| Information | Value |
|---|---|
| ID | #124 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:32, Reason: Child Process |
| Unmonitor | End Time: 00:04:35, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3e4 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
428
0x
7414
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000026f1a30000 | 0x26f1a30000 | 0x26f1a4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000026f1a30000 | 0x26f1a30000 | 0x26f1a3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000026f1a50000 | 0x26f1a50000 | 0x26f1a63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000026f1a70000 | 0x26f1a70000 | 0x26f1aeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000026f1af0000 | 0x26f1af0000 | 0x26f1af3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000026f1b00000 | 0x26f1b00000 | 0x26f1b00fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000026f1b10000 | 0x26f1b10000 | 0x26f1b11fff | Private Memory | rw |
|
|
|
- |
| private_0x00000026f1b70000 | 0x26f1b70000 | 0x26f1c6ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x26f1c70000 | 0x26f1d2dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff4c0000 | 0x7df5ff4c0000 | 0x7ff5ff4bffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6db0000 | 0x7ff6d6db0000 | 0x7ff6d6eaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6eb0000 | 0x7ff6d6eb0000 | 0x7ff6d6ed2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6ed4000 | 0x7ff6d6ed4000 | 0x7ff6d6ed4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d6ede000 | 0x7ff6d6ede000 | 0x7ff6d6edffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #126: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #126 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:34, Reason: Child Process |
| Unmonitor | End Time: 00:04:35, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7418 |
| Parent PID | 0x3e4 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
741C
0x
7494
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000078a3120000 | 0x78a3120000 | 0x78a313ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000078a3120000 | 0x78a3120000 | 0x78a312ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000078a3130000 | 0x78a3130000 | 0x78a3136fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000078a3140000 | 0x78a3140000 | 0x78a3153fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000078a3160000 | 0x78a3160000 | 0x78a31dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000078a31e0000 | 0x78a31e0000 | 0x78a31e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000078a31f0000 | 0x78a31f0000 | 0x78a31f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000078a3200000 | 0x78a3200000 | 0x78a3201fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x78a3210000 | 0x78a32cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000078a32d0000 | 0x78a32d0000 | 0x78a32d6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x78a32e0000 | 0x78a32e2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000078a3300000 | 0x78a3300000 | 0x78a33fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000078a3400000 | 0x78a3400000 | 0x78a347ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x78a3480000 | 0x78a34b1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000078a3500000 | 0x78a3500000 | 0x78a350ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffd60000 | 0x7df5ffd60000 | 0x7ff5ffd5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69bcd0000 | 0x7ff69bcd0000 | 0x7ff69bdcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69bdd0000 | 0x7ff69bdd0000 | 0x7ff69bdf2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69bdfb000 | 0x7ff69bdfb000 | 0x7ff69bdfcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bdfd000 | 0x7ff69bdfd000 | 0x7ff69bdfefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69bdff000 | 0x7ff69bdff000 | 0x7ff69bdfffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50390000 | 0x7ffc503a3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x78a32e0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #127: net.exe
0
0
| Information | Value |
|---|---|
| ID | #127 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:36, Reason: Child Process |
| Unmonitor | End Time: 00:04:36, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7504 |
| Parent PID | 0xc80 (c:\users\ciihmnxmn6ps\desktop\fkgcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7508
0x
754C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000086566e0000 | 0x86566e0000 | 0x86566fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000086566e0000 | 0x86566e0000 | 0x86566effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000008656700000 | 0x8656700000 | 0x8656713fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008656720000 | 0x8656720000 | 0x865679ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000086567a0000 | 0x86567a0000 | 0x86567a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000086567b0000 | 0x86567b0000 | 0x86567b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000086567c0000 | 0x86567c0000 | 0x86567c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x86567d0000 | 0x865688dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008656930000 | 0x8656930000 | 0x8656a2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffb70000 | 0x7df5ffb70000 | 0x7ff5ffb6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6d6650000 | 0x7ff6d6650000 | 0x7ff6d674ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6d6750000 | 0x7ff6d6750000 | 0x7ff6d6772fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6d6776000 | 0x7ff6d6776000 | 0x7ff6d6776fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6d677e000 | 0x7ff6d677e000 | 0x7ff6d677ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff6d7340000 | 0x7ff6d735cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #129: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #129 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:36, Reason: Child Process |
| Unmonitor | End Time: 00:04:36, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7550 |
| Parent PID | 0x7504 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7554
0x
7558
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000022b4670000 | 0x22b4670000 | 0x22b468ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000022b4670000 | 0x22b4670000 | 0x22b467ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000022b4680000 | 0x22b4680000 | 0x22b4686fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000022b4690000 | 0x22b4690000 | 0x22b46a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000022b46b0000 | 0x22b46b0000 | 0x22b472ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000022b4730000 | 0x22b4730000 | 0x22b4733fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000022b4740000 | 0x22b4740000 | 0x22b4740fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000022b4750000 | 0x22b4750000 | 0x22b4751fff | Private Memory | rw |
|
|
|
- |
| private_0x00000022b4760000 | 0x22b4760000 | 0x22b4766fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x22b4770000 | 0x22b4772fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000022b47b0000 | 0x22b47b0000 | 0x22b47bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000022b47d0000 | 0x22b47d0000 | 0x22b48cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x22b48d0000 | 0x22b498dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000022b4990000 | 0x22b4990000 | 0x22b4a0ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x22b4a10000 | 0x22b4a41fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ffb90000 | 0x7df5ffb90000 | 0x7ff5ffb8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff69b870000 | 0x7ff69b870000 | 0x7ff69b96ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff69b970000 | 0x7ff69b970000 | 0x7ff69b992fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff69b99b000 | 0x7ff69b99b000 | 0x7ff69b99cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69b99d000 | 0x7ff69b99d000 | 0x7ff69b99dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff69b99e000 | 0x7ff69b99e000 | 0x7ff69b99ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff69c780000 | 0x7ff69c7bbfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50e40000 | 0x7ffc50e53fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x22b4770000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff69c780000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
