3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a (SHA256)
3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a.exe
Windows Exe (x86-32)
Created at 2018-05-16 15:35:00
Notifications (2/2)
Some extracted files may be missing in the report since the total file extraction size limit was reached during the analysis. You can increase the limit in the configuration settings.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: 3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a.exe
14
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\5jghkoaofdp\desktop\3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a.exe |
| Command Line | "C:\Users\5JgHKoaOfdp\Desktop\3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:33, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa80 |
| Parent PID | 0x3f8 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A68
0x
2D8
0x
364
0x
ABC
0x
AC0
0x
AA4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a50000 | 0x00a50000 | 0x00a6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x00a5ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a63fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a71fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a70fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00a8efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00acffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00bcffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000bd0000 | 0x00bd0000 | 0x00bd3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00be1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00bf0000 | 0x00c6dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00c70fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00c8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c90000 | 0x00c90000 | 0x00c90fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x00ca0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x00ca3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00cb3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000cc0000 | 0x00cc0000 | 0x00cc0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x00cd0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cversions.2.db | 0x00ce0000 | 0x00ce3fff | Memory Mapped File | Readable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000006.db | 0x00cf0000 | 0x00d2efff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x00d30000 | 0x00d33fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00e4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00fd7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| oleaut32.dll | 0x00fe0000 | 0x01066fff | Memory Mapped File | Readable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x00fe0000 | 0x01062fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000001070000 | 0x01070000 | 0x01072fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| 3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a.exe | 0x01080000 | 0x01087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000001090000 | 0x01090000 | 0x01210fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001220000 | 0x01220000 | 0x0261ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02620000 | 0x028f4fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002900000 | 0x02900000 | 0x02a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002900000 | 0x02900000 | 0x029f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002a00000 | 0x02a00000 | 0x02a00fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| cversions.1.db | 0x02a10000 | 0x02a13fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002a10000 | 0x02a10000 | 0x02a10fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000028.db | 0x02a20000 | 0x02a39fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002a40000 | 0x02a40000 | 0x02a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002a50000 | 0x02a50000 | 0x02e4bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002e50000 | 0x02e50000 | 0x02e50fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002e60000 | 0x02e60000 | 0x02e60fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002e60000 | 0x02e60000 | 0x02e60fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002e70000 | 0x02e70000 | 0x02eaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002eb0000 | 0x02eb0000 | 0x02faffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002fb0000 | 0x02fb0000 | 0x02feffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002ff0000 | 0x02ff0000 | 0x030effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000030f0000 | 0x030f0000 | 0x0312ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003130000 | 0x03130000 | 0x0322ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003230000 | 0x03230000 | 0x0326ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003270000 | 0x03270000 | 0x0336ffff | Private Memory | Readable, Writable |
|
|
|
- |
| svchost.exe | 0x03370000 | 0x03377fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000003370000 | 0x03370000 | 0x033affff | Private Memory | Readable, Writable |
|
|
|
- |
| sysmain.sdb | 0x03380000 | 0x03726fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000033b0000 | 0x033b0000 | 0x034affff | Private Memory | Readable, Writable |
|
|
|
- |
| sysmain.sdb | 0x034b0000 | 0x03856fff | Memory Mapped File | Readable |
|
|
|
- |
| bcrypt.dll | 0x74110000 | 0x7412cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74130000 | 0x7415efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74160000 | 0x74177fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x74180000 | 0x74188fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x74190000 | 0x741a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741b0000 | 0x7436cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x74370000 | 0x74588fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x74590000 | 0x746b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x746c0000 | 0x746cdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x746d0000 | 0x747f2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x74800000 | 0x74808fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x74810000 | 0x74885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x74890000 | 0x748b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x748e0000 | 0x749bafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apphelp.dll | 0x749c0000 | 0x74a58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x74f30000 | 0x74f69fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x751a0000 | 0x7531efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75780000 | 0x7592cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x75a50000 | 0x76bfcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x76eb0000 | 0x76ebdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007ed57000 | 0x7ed57000 | 0x7ed59fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed5a000 | 0x7ed5a000 | 0x7ed5cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed5d000 | 0x7ed5d000 | 0x7ed5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007ed60000 | 0x7ed60000 | 0x7ee5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ee60000 | 0x7ee60000 | 0x7ee82fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ee84000 | 0x7ee84000 | 0x7ee84fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee85000 | 0x7ee85000 | 0x7ee85fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee87000 | 0x7ee87000 | 0x7ee89fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee8a000 | 0x7ee8a000 | 0x7ee8cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee8d000 | 0x7ee8d000 | 0x7ee8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\windows\svchost.exe | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\windows\svchost.exe | 16.50 KB |
MD5:
1221ac9d607af73c65fd6c62bec3d249
SHA1: 518d5a0a8025147b9e29821bccdaf3b42c0d01db SHA256: 3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a |
|
|
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Copy | C:\Windows\svchost.exe | source_filename = C:\Users\5JgHKoaOfdp\Desktop\3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a.exe |
|
2 | |
| Delete | C:\Windows\svchost.exe | - |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | - |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | value_name = Shell, data = C:\Windows\explorer.exe, C:\Windows\svchost.exe, size = 520, type = REG_SZ |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\svchost.exe | show_window = SW_HIDE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\users\5jghkoaofdp\desktop\3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a.exe, file_name_orig = C:\Users\5JgHKoaOfdp\Desktop\3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a.exe, size = 260 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
2 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | mutex_name = 䩈㹇䨼䙫套杉極桯瑧㤸㜵朳橵畨㝹常⠪⠦♞, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Process #2: svchost.exe
941
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\svchost.exe |
| Command Line | "C:\Windows\svchost.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:46, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:47 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xac4 |
| Parent PID | 0xa80 (c:\users\5jghkoaofdp\desktop\3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AC8
0x
ADC
0x
AE0
0x
AE4
0x
AE8
0x
AEC
0x
AF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000030000 | 0x00030000 | 0x0004ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x0003ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000040000 | 0x00040000 | 0x00043fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x0006efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0024dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00250fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00263fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| oleaut32.dll | 0x00280000 | 0x00306fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| bootstat.dat | 0x002c0000 | 0x002cffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| bootnxt | 0x002c0000 | 0x002c0fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| msaddndr.olb | 0x002c0000 | 0x002c3fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| eeintl.dll | 0x002c0000 | 0x002cffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| eqnedt32.cnt | 0x002c0000 | 0x002c0fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| eqnedt32.exe.manifest | 0x002c0000 | 0x002c0fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| mtextra.ttf | 0x002c0000 | 0x002c1fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| msoeuro.dll | 0x002c0000 | 0x002c7fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| msgfilt.dll | 0x002c0000 | 0x002c9fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| ms.eps | 0x002c0000 | 0x002c3fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| ms.gif | 0x002c0000 | 0x002c0fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| hx.hxc | 0x002c0000 | 0x002c0fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| hxruntime.hxs | 0x002c0000 | 0x002c6fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| keywords.hxk | 0x002c0000 | 0x002c0fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| namedurls.hxk | 0x002c0000 | 0x002c0fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| aceodbci.dll | 0x002c0000 | 0x002cdfff | Memory Mapped File | Readable, Writable |
|
|
|
|
| msointl.dll.idx_dll | 0x002c0000 | 0x002ccfff | Memory Mapped File | Readable, Writable |
|
|
|
|
| mssoapr3.dll | 0x002c0000 | 0x002cafff | Memory Mapped File | Readable, Writable |
|
|
|
|
| oarpmanr.dll | 0x002c0000 | 0x002c3fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| readme.htm | 0x002c0000 | 0x002c0fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| aceerr.dll | 0x002c0000 | 0x002c9fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| aceodexl.dll | 0x002c0000 | 0x002c4fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| as80.xsl | 0x002c0000 | 0x002c4fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| db2v0801.xsl | 0x002c0000 | 0x002c7fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| msjet.xsl | 0x002c0000 | 0x002c7fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| orcl7.xsl | 0x002c0000 | 0x002c8fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| sql70.xsl | 0x002c0000 | 0x002c7fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cversions.1.db | 0x002e0000 | 0x002e3fff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x002e0000 | 0x002e3fff | Memory Mapped File | Readable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000028.db | 0x002f0000 | 0x00309fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00310fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0042ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00442fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00450fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0046ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cversions.2.db | 0x00470000 | 0x00473fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00480fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sysmain.sdb | 0x00590000 | 0x00936fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00717fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x008a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x008b0000 | 0x00b84fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00f8bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00f90fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f90000 | 0x00f90000 | 0x00f90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| svchost.exe | 0x00fb0000 | 0x00fb7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x023bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000006.db | 0x023c0000 | 0x023fefff | Memory Mapped File | Readable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x02400000 | 0x02482fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002490000 | 0x02490000 | 0x024cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024d0000 | 0x024d0000 | 0x025cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000025d0000 | 0x025d0000 | 0x0260ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002610000 | 0x02610000 | 0x0270ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002710000 | 0x02710000 | 0x0274ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002750000 | 0x02750000 | 0x0284ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002850000 | 0x02850000 | 0x0288ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002890000 | 0x02890000 | 0x0298ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002990000 | 0x02990000 | 0x029cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000029d0000 | 0x029d0000 | 0x02acffff | Private Memory | Readable, Writable |
|
|
|
- |
| dbghelp.dll | 0x02ad0000 | 0x02c1efff | Memory Mapped File | Readable, Writable |
|
|
|
|
| dw20.exe | 0x02ad0000 | 0x02bc3fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| dwtrig20.exe | 0x02ad0000 | 0x02b5ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| eqnedt32.exe | 0x02ad0000 | 0x02b54fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| eqnedt32.hlp | 0x02ad0000 | 0x02afbfff | Memory Mapped File | Readable, Writable |
|
|
|
|
| odffilt.dll | 0x02ad0000 | 0x02bbbfff | Memory Mapped File | Readable, Writable |
|
|
|
|
| offfiltx.dll | 0x02ad0000 | 0x02beffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| visfilt.dll | 0x02ad0000 | 0x02c4ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| epsimp32.flt | 0x02ad0000 | 0x02b6efff | Memory Mapped File | Readable, Writable |
|
|
|
|
| gifimp32.flt | 0x02ad0000 | 0x02b0efff | Memory Mapped File | Readable, Writable |
|
|
|
|
| jpegim32.flt | 0x02ad0000 | 0x02b09fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| pictim32.flt | 0x02ad0000 | 0x02ae2fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| png32.flt | 0x02ad0000 | 0x02b13fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| wpgimp32.flt | 0x02ad0000 | 0x02b11fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| hxds.dll | 0x02ad0000 | 0x02bfdfff | Memory Mapped File | Readable, Writable |
|
|
|
|
| itircl55.dll | 0x02ad0000 | 0x02c4ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| msitss55.dll | 0x02ad0000 | 0x02b3cfff | Memory Mapped File | Readable, Writable |
|
|
|
|
| mscdm.dll | 0x02ad0000 | 0x02b46fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| aceintl.dll | 0x02ad0000 | 0x02b01fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| acewstr.dll | 0x02ad0000 | 0x02ba1fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| ado210.chm | 0x02ad0000 | 0x02c4ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| alrtintl.dll | 0x02ad0000 | 0x02af5fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| msointl.dll | 0x02ad0000 | 0x02c4ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| msointl.rest.idx_dll | 0x02ad0000 | 0x02c3afff | Memory Mapped File | Readable, Writable |
|
|
|
|
| osfintl.dll | 0x02ad0000 | 0x02af0fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| osmdp32.msi | 0x02ad0000 | 0x02c4ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| xlsrvintl.dll | 0x02ad0000 | 0x02b10fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| acecore.dll | 0x02ad0000 | 0x02c4ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| acedao.dll | 0x02ad0000 | 0x02b66fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| acees.dll | 0x02ad0000 | 0x02ba6fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| aceexch.dll | 0x02ad0000 | 0x02b0cfff | Memory Mapped File | Readable, Writable |
|
|
|
|
| aceexcl.dll | 0x02ad0000 | 0x02b52fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| aceodbc.dll | 0x02ad0000 | 0x02b22fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| aceoledb.dll | 0x02ad0000 | 0x02b3cfff | Memory Mapped File | Readable, Writable |
|
|
|
|
| acetxt.dll | 0x02ad0000 | 0x02b01fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| acewdat.dll | 0x02ad0000 | 0x02c4ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| acewss.dll | 0x02ad0000 | 0x02b1cfff | Memory Mapped File | Readable, Writable |
|
|
|
|
| adal.dll | 0x02ad0000 | 0x02ba5fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| cmigrate.exe | 0x02ad0000 | 0x02c4ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| csisyncclient.exe | 0x02ad0000 | 0x02aeafff | Memory Mapped File | Readable, Writable |
|
|
|
|
| sql90.xsl | 0x02ad0000 | 0x02ae6fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| sqlpdw.xsl | 0x02ad0000 | 0x02ae2fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| bcrypt.dll | 0x74110000 | 0x7412cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74130000 | 0x7415efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74160000 | 0x74177fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x74180000 | 0x74188fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x74190000 | 0x741a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741b0000 | 0x7436cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x74370000 | 0x74588fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x74590000 | 0x746b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x746c0000 | 0x746cdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x746d0000 | 0x747f2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x74800000 | 0x74808fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x74810000 | 0x74885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x748e0000 | 0x749bafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apphelp.dll | 0x749c0000 | 0x74a58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x74f30000 | 0x74f69fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x751a0000 | 0x7531efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75780000 | 0x7592cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x75a50000 | 0x76bfcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x76eb0000 | 0x76ebdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007f134000 | 0x7f134000 | 0x7f136fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f137000 | 0x7f137000 | 0x7f139fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f13a000 | 0x7f13a000 | 0x7f13cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f13d000 | 0x7f13d000 | 0x7f13ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007f140000 | 0x7f140000 | 0x7f23ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f240000 | 0x7f240000 | 0x7f262fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f264000 | 0x7f264000 | 0x7f264fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f266000 | 0x7f266000 | 0x7f268fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f269000 | 0x7f269000 | 0x7f26bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f26c000 | 0x7f26c000 | 0x7f26efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f26f000 | 0x7f26f000 | 0x7f26ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\boot\bcd.log1.[sepsis@protonmail.com].sepsis | 0.18 KB |
MD5:
9d545a04b7368d29972e89376eeeb264
SHA1: 0e819aef207a012e2d068ca32360ac65b6bfcab9 SHA256: b4dd973aed2766bb439db73e91d88cc945fb283e68e437c2e330ce652e0123c5 |
|
|
| c:\boot\bcd.log2.[sepsis@protonmail.com].sepsis | 0.18 KB |
MD5:
9d545a04b7368d29972e89376eeeb264
SHA1: 0e819aef207a012e2d068ca32360ac65b6bfcab9 SHA256: b4dd973aed2766bb439db73e91d88cc945fb283e68e437c2e330ce652e0123c5 |
|
|
| c:\boot\bootstat.dat.[sepsis@protonmail.com].sepsis | 64.18 KB |
MD5:
4ea95f48d0f2d0e5b75802d21c075970
SHA1: cc14d658ed5360f09019758eab9bcdbc17ef315b SHA256: 0a468b854de09777e9c8cbee51bbab967207821070105daea6832e8d58b8bfa9 |
|
|
| c:\bootnxt.[sepsis@protonmail.com].sepsis | 0.18 KB |
MD5:
75083afb5f033e0d63f25e50f64f1641
SHA1: 0390bc6aa882f0cda5a80f382a544087bbbfb2ba SHA256: ba1194ff004e688f680e9426e8a2d8b55c250d103b97267361c4f2a0042dd8cb |
|
|
| c:\program files\common files\designer\msaddndr.olb.[sepsis@protonmail.com].sepsis | 15.79 KB |
MD5:
228da1815eb645b81cb702ba4c93d3e8
SHA1: d683d6a5399d65be44ea7218a6c8134e187e6f48 SHA256: cfac4d55bfc01bdf961127632ac255478390794a760de3030776396c413b18af |
|
|
| c:\program files\common files\microsoft shared\dw\dbghelp.dll.[sepsis@protonmail.com].sepsis | 1.31 MB |
MD5:
4679ab1652b6ae68dc69edade0a027c0
SHA1: 759b229ea4cf5e82296605071de808829199c353 SHA256: d00503057698662823a786fc3699cd36679e905690bb2d19d424b2cb5eadc3fe |
|
|
| c:\program files\common files\microsoft shared\dw\dw20.exe.[sepsis@protonmail.com].sepsis | 974.38 KB |
MD5:
58435dd3eed646e1eb9e69d039a8fa91
SHA1: a8cc9afd1509c53b8b3e60011b9b7e621e7f10fb SHA256: c0ee6d2f1c8bf01c38eb9d6380adcec6cf4a8520ca82e756a92172aa776c86a1 |
|
|
| c:\program files\common files\microsoft shared\dw\dwtrig20.exe.[sepsis@protonmail.com].sepsis | 574.40 KB |
MD5:
0600feb1e31732b89988e3aafb444016
SHA1: 88d595150a145510984b09d0ccbf860fc9d63682 SHA256: 168d0ce4baa65d6f36d6d974469c3007b8dde7998fe3904d027bd8b9e971490f |
|
|
| c:\program files\common files\microsoft shared\equation\1033\eeintl.dll.[sepsis@protonmail.com].sepsis | 62.77 KB |
MD5:
51eb3a059480b7576659efb1bad7f521
SHA1: 52934a488d2e7496332dac9fda1a1ee7c50da281 SHA256: 6e24e0590625060c7516290e4b35267a2edb452828da9c4de3304fe424ab7e49 |
|
|
| c:\program files\common files\microsoft shared\equation\eqnedt32.cnt.[sepsis@protonmail.com].sepsis | 2.67 KB |
MD5:
854d72551d4d99dbb6cc756ffd9e8738
SHA1: 68f9f153c4ef0fc748d75dfa8e791cd0d1544f39 SHA256: fccf5a199f776e44ceddfbbc2b7c566e0ef5e961eca803fda6484ff9091b23f6 |
|
|
| c:\program files\common files\microsoft shared\equation\eqnedt32.exe.[sepsis@protonmail.com].sepsis | 530.75 KB |
MD5:
5b61ee119abfba50caf9100f8b687924
SHA1: 7001057ce7fd9edf64caf1ffc09345fdb43e7205 SHA256: 436f592ba523b6fbd9a355d227e1888f9fdcc27692f3874c3dfd8720470843c2 |
|
|
| c:\program files\common files\microsoft shared\equation\eqnedt32.exe.manifest.[sepsis@protonmail.com].sepsis | 0.73 KB |
MD5:
0194439975cb83f3c5216d7ad3f7babe
SHA1: 277bc16091bd3db68b0c9a858f9c3e5b1234511c SHA256: 35c13133831490c8f803447c90b44094a659416186f898448e6130e4a5f8962a |
|
|
| c:\program files\common files\microsoft shared\equation\eqnedt32.hlp.[sepsis@protonmail.com].sepsis | 172.35 KB |
MD5:
9dc9a598750e702b78db22642270e816
SHA1: 50898393625d36d392fdc60fc69d3196d8db9635 SHA256: 8f39dccb819276c7b8671ebcf15bb236f6630bc80a3c5ea2196876f96a21d259 |
|
|
| c:\program files\common files\microsoft shared\equation\mtextra.ttf.[sepsis@protonmail.com].sepsis | 7.65 KB |
MD5:
bcae409c119f08f9fbcba36fb1f3996d
SHA1: f16eb9b6dfc87c6f1488572f79a27b60c8dd87f4 SHA256: 1c6a5aed2a55cc4ecf1e123c9ddc5a15ff6e70e1093a50d0c2716a453555a4b8 |
|
|
| c:\program files\common files\microsoft shared\euro\msoeuro.dll.[sepsis@protonmail.com].sepsis | 31.79 KB |
MD5:
b9f03b53f35e476502bd2aa3a7e2e0e7
SHA1: e9060b4c87dc940c889a04615dd023d123bea84c SHA256: edeaff47c6510fcc1a1ac4365332bcc93254972475b617b0379ba89acf14a9ff |
|
|
| c:\program files\common files\microsoft shared\filters\msgfilt.dll.[sepsis@protonmail.com].sepsis | 39.30 KB |
MD5:
2afb39ab896ddcb4c51fe2e75c6cecbd
SHA1: b3511398b7395c490924589ee255b04f1a50e205 SHA256: 163996e0c5a32e04f2ecbbdd474f53eca8ea0596ad77dffef41b9db4aa8605d4 |
|
|
| c:\program files\common files\microsoft shared\filters\odffilt.dll.[sepsis@protonmail.com].sepsis | 940.83 KB |
MD5:
ef0d4357983d69bd33bf1419ee975f1d
SHA1: bf661ac03f4b37ed94420bb4bbdf7ac837eeb03d SHA256: e9cadc9c3a3ffb7dec58c32e0f433e90fa3c7df57e40276af79875de2f8ca2cd |
|
|
| c:\program files\common files\microsoft shared\filters\offfiltx.dll.[sepsis@protonmail.com].sepsis | 1.12 MB |
MD5:
22cd6893caa9d3c373afa2cf77635f0e
SHA1: 9ac50bc7adbddcd7b7c3f3d34321cb681e45aeac SHA256: 36e5cc3a0661bfb3f27aa8a52f762f4c3e3f86fafcd5b6f2136d3436e00f8668 |
|
|
| c:\program files\common files\microsoft shared\filters\visfilt.dll.[sepsis@protonmail.com].sepsis | 3.74 MB |
MD5:
0520ae921464d91df95d8173d8cf892f
SHA1: daa669d055663233a2a0db4f7e769916cfebb7bf SHA256: 3caac82d10cc4a029e96df56377e1c22e2e0f0d4a20bfa26119172d91616d479 |
|
|
| c:\program files\common files\microsoft shared\grphflt\epsimp32.flt.[sepsis@protonmail.com].sepsis | 635.32 KB |
MD5:
f01a01b90023d35a294d577deded09c4
SHA1: c3c982d90dd4caa3f6dfb2c5c99b815220a1ead8 SHA256: de925baa026e639f8784a60f57e8918e53e8a83eb532eeb17976e133977a08fd |
|
|
| c:\program files\common files\microsoft shared\grphflt\gifimp32.flt.[sepsis@protonmail.com].sepsis | 250.31 KB |
MD5:
6ac34efd31c14552b76654152f935c00
SHA1: d70d77b43532c14ae4090ed8e0a22643ff865916 SHA256: 506607a15f783ff167521d4fcd6f23246d4017f0d63db885e81a9729d72b5b9f |
|
|
| c:\program files\common files\microsoft shared\grphflt\jpegim32.flt.[sepsis@protonmail.com].sepsis | 228.32 KB |
MD5:
c185e0cfcb57b9a1866fc3e1ecbc94e0
SHA1: f95072cd0eef0145ae595554494e0d172ed6ced4 SHA256: 5118411007a7bc2795b566400c3994cae10b9d6960bfff4c1cd6d6b657333bd5 |
|
|
| c:\program files\common files\microsoft shared\grphflt\ms.eps.[sepsis@protonmail.com].sepsis | 14.89 KB |
MD5:
b89c66ae83ee319c47ef70aea07d4f6f
SHA1: 1657ceb6734e2283b199173665836d951c1b5ccb SHA256: 2830f64ece6ec6cfe9a8350cb8e36fc6d7c4075a92f6af8739b3e21da3e36622 |
|
|
| c:\program files\common files\microsoft shared\grphflt\ms.gif.[sepsis@protonmail.com].sepsis | 1.22 KB |
MD5:
e8b4fcad81b1fc2f77bc2bbc86c74428
SHA1: 0edf6d2383163920e473e19114109abf26916aa8 SHA256: 3ba1141f77ad6cb0631528a39cfdebd4783ac5e957792c9c94f3a4db916cfc54 |
|
|
| c:\program files\common files\microsoft shared\grphflt\ms.jpg.[sepsis@protonmail.com].sepsis | 1.21 KB |
MD5:
bab08a48799d6bceabd6ffa69a45adff
SHA1: 912f5ceb4061fe42b901d97c5af31c4cb06350d0 SHA256: 4ff4728b8d7f3e8a7722a88f24d613b286cc5e79662ec763ea72fde87b60e90d |
|
|
| c:\program files\common files\microsoft shared\grphflt\ms.png.[sepsis@protonmail.com].sepsis | 1.82 KB |
MD5:
0cfca8e12b1969e69a50d379d1e0b0a4
SHA1: d4940905210412d428d32beb2bdb4bcbaed3a583 SHA256: 756e173f860c789ec89215b77998efef4319aca90f3b0b570ec8c362c8314792 |
|
|
| c:\program files\common files\microsoft shared\grphflt\ms.wpg.[sepsis@protonmail.com].sepsis | 1.53 KB |
MD5:
f8e664a4cdddccdd94a2e001a154d7c3
SHA1: 3b8d80d7538aaff83fd35ce50bdecfc965189c95 SHA256: 7b4b523dfb131121c8aa23cd3fc71dcd2fb2c2b6d6f7eb8537151d8499a48e0e |
|
|
| c:\program files\common files\microsoft shared\grphflt\pictim32.flt.[sepsis@protonmail.com].sepsis | 74.82 KB |
MD5:
8b806f7da233198cbec9960a05c1aafe
SHA1: b217f887daf47143da6375f76b17845caaa07383 SHA256: 040644b7a36c09f68d25f524e15f81c97ebced94342ad5d1cd3b07b6a4d24cef |
|
|
| c:\program files\common files\microsoft shared\grphflt\png32.flt.[sepsis@protonmail.com].sepsis | 271.83 KB |
MD5:
8a86d7d639eb0ec65fa33f7c3bf3caec
SHA1: 88f03253366b74e934d6e8a075488e4d9de2f52e SHA256: f3ed9aa3e03b266572274e6ee73e3608435015169625402032a03a2ec09129be |
|
|
| c:\program files\common files\microsoft shared\grphflt\wpgimp32.flt.[sepsis@protonmail.com].sepsis | 263.83 KB |
MD5:
31d015ed828cc0b1709be03f1683e558
SHA1: 5e4b26033a9a29e2121387bc461ae02e3ac8a8b2 SHA256: b9109453cf2bfbb128159f934a3e67faff1a4ee8f38b76d1bf3b22e3a5987550 |
|
|
| c:\program files\common files\microsoft shared\help\hx.hxc.[sepsis@protonmail.com].sepsis | 0.96 KB |
MD5:
5a910a305d21654241d1881dd6b2ca98
SHA1: fac1e073a5820950c7805fac75380def45b93976 SHA256: 52f465b6655509ec4d8dd902ed101d69f88fc5160ba515357c5b2e8035c7a306 |
|
|
| c:\program files\common files\microsoft shared\help\hx.hxt.[sepsis@protonmail.com].sepsis | 0.34 KB |
MD5:
332f8938a6dde0047ebf514b38118915
SHA1: 11258317cb082042b126f9d0a4d1332b98a52f6e SHA256: 3729ee9975b714fef76a42b4d77fd4242fc8489f3c84c87f5088b3e4c7c45b55 |
|
|
| c:\program files\common files\microsoft shared\help\hxds.dll.[sepsis@protonmail.com].sepsis | 1.18 MB |
MD5:
667f6c344628b16b732846a33ef8729a
SHA1: b6813117ca3e3964cbda66d36123878616f8b285 SHA256: ce71b282e803bb143ce10e680678de427e9e6373d8625f046a7e877c4e2d2a4c |
|
|
| c:\program files\common files\microsoft shared\help\hxruntime.hxs.[sepsis@protonmail.com].sepsis | 27.40 KB |
MD5:
69b22a0aa6b2e57404fc7f60f7de9894
SHA1: 94197a64b2dcf3c09550efd309060754b0de9398 SHA256: 156fc56ce03ae51a79ef0743bdfb5fc1336717d899a6f813446dc26d75cbadbc |
|
|
| c:\program files\common files\microsoft shared\help\itircl55.dll.[sepsis@protonmail.com].sepsis | 1.72 MB |
MD5:
f24d563717ee2f63156fb105458c05a6
SHA1: 4a998e2f9733e243fda92b335f5d8ca35264dde5 SHA256: 27388703598ba072ce4802e4405458cc1a6a04bf11b8f8afe3d67aa62414e201 |
|
|
| c:\program files\common files\microsoft shared\help\keywords.hxk.[sepsis@protonmail.com].sepsis | 0.31 KB |
MD5:
a090c1a1b74ff8085781f2b8e9924887
SHA1: a74ae3151765acf4ea9e0b7849e8d80c9aa100e6 SHA256: b20c0c3677553e1cc34f680aa1f13e7e10650cae310f1a594290967dd16f4a60 |
|
|
| c:\program files\common files\microsoft shared\help\msitss55.dll.[sepsis@protonmail.com].sepsis | 434.35 KB |
MD5:
1764fad1c166cb87ce23f9a2a73b5b5f
SHA1: a358df20202c117d1a93b654a9e4f1ff236f66f4 SHA256: f1e1d4301138e16d80d1e208185c0a622c6f4a818d9b8c95d78b23cd3c9b1114 |
|
|
| c:\program files\common files\microsoft shared\help\namedurls.hxk.[sepsis@protonmail.com].sepsis | 0.31 KB |
MD5:
c29d9f7f3aff22bc50b2e2bf802b5fc2
SHA1: 90b22a9ecfb0de25572bbb448c91bff1c2eff84d SHA256: f27c7a2b9e3653570e783d532f65b1818eee9dc4f550f35e036d03b91eb88e17 |
|
|
| c:\program files\common files\microsoft shared\msclientdatamgr\mscdm.dll.[sepsis@protonmail.com].sepsis | 474.35 KB |
MD5:
1e53c61737cdd277038516efce7e5a2f
SHA1: 93e625cd64dbf7459de2e5be89263bbf37199ccc SHA256: 662dbbcd37052dbe3271e56f84a0796cd5d957e51de199c29b90ab2a5e245d8e |
|
|
| c:\program files\common files\microsoft shared\office15\1033\aceintl.dll.[sepsis@protonmail.com].sepsis | 196.87 KB |
MD5:
be8c8fea5988a4e1f7f26d8eea4edfcf
SHA1: ac03db4447aebce19ecaf6d371c6c7d10442255e SHA256: 6238344ffc7f7d2338349d4b4447ed5331e3a0cd0caaa8dae58a7dec6b0d8a11 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\aceodbci.dll.[sepsis@protonmail.com].sepsis | 52.36 KB |
MD5:
9e9e7daf3a4499bf1a0b01b5a0b31d24
SHA1: db30fdf794c98a834239bd948b6ca328df366b74 SHA256: 1a80a33aaad3e641ea485158a127bfc2ba07c55aae05e823b71226ea6b96bf95 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\acewstr.dll.[sepsis@protonmail.com].sepsis | 839.35 KB |
MD5:
9ebcdfa5720d1b4d0676a1b90d6050c6
SHA1: 9f1303873f9bcf255949c5ae47ff7ff0a8018247 SHA256: dfa0841cae6fb52b0d14a78dad5bb7db6bb9e5e9b8d9cbb0813629c53e83257e |
|
|
| c:\program files\common files\microsoft shared\office15\1033\ado210.chm.[sepsis@protonmail.com].sepsis | 1.60 MB |
MD5:
53fa6ab167d4cf68f5485a827c9f5426
SHA1: 1d38d51435d660e62f23a3aa851401bb1092bdff SHA256: 798c229d9384dc338d2bdbe1163b4bec541137c700e9e148953c447ae97971a2 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\alrtintl.dll.[sepsis@protonmail.com].sepsis | 150.77 KB |
MD5:
e4e7bfa9e0b14f5ead56a1e7b5d6f436
SHA1: b6054cc98f146519f3bb00a044f85b85ae2e2de4 SHA256: 1929c76bbbf9f8252ccdb2d16d5ab1e5c62a76b4acb04787386ffcdf6f9c10d0 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\msointl.dll.[sepsis@protonmail.com].sepsis | 3.46 MB |
MD5:
ef3ce4d94d705066ae8d508bb577fc8f
SHA1: e79f6cf9b060cb29a46d51e308b4d49de2532f8b SHA256: a9e19978f5270b2ae51ba2eeac974a7ab6c7d2c1653a11142cbb0a647af37a09 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\msointl.dll.idx_dll.[sepsis@protonmail.com].sepsis | 51.82 KB |
MD5:
c08256ba876262809f3fe1fcc583d069
SHA1: 198e1495c5a6ab7a7e935bde35029b34e813f3d4 SHA256: 84d57e8229377a7d8564767b5a288a3192f63c67fa6f5e1423fcd6c6b5c4cb2f |
|
|
| c:\program files\common files\microsoft shared\office15\1033\msointl.rest.idx_dll.[sepsis@protonmail.com].sepsis | 1.42 MB |
MD5:
3ea4252fab4c5db8789d25072c3ae5da
SHA1: 4747cb0ba11394894f1c469be496c7948b5d3a97 SHA256: 139172e558815fe78d405bb31fde49d82d927b78f91a7bcd0c606b82321393a8 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\mssoapr3.dll.[sepsis@protonmail.com].sepsis | 41.32 KB |
MD5:
a4844d8708a189a4292b02e61e5bf612
SHA1: 68c83a795f703075cdb8d1ee8c995ec58c1ebfba SHA256: 03f35706da7c33d3096628f62b74297df677d93df5ef1edcde9bdde1669d7058 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\oarpmanr.dll.[sepsis@protonmail.com].sepsis | 12.32 KB |
MD5:
b5518f87053cf19ba6018ceebe450df1
SHA1: 650b95b51ca374cfc2a74153c30d2b1bbccabd51 SHA256: 4af68262225d8c0d637ce2c0dd52dbf27f58efdba6734cb3758022a0d031b537 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\osfintl.dll.[sepsis@protonmail.com].sepsis | 130.81 KB |
MD5:
c87b7565588cee387565a6c6ccf422a8
SHA1: 1bf44e86edf8ba912fd5a217a4ff814c3f8fe107 SHA256: 6e86e96a2347996cbfd82e10bff52c96c0ade00d22b04884914bbdc97bc7adb1 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\osmdp32.msi.[sepsis@protonmail.com].sepsis | 2.18 MB |
MD5:
3f0ad0ca2c91a4f1b5a2b9415b31c5ea
SHA1: 62ec23ca63aa2d44da770d752fc9b98c9c1446f9 SHA256: c709d3a80d9f054981f775496ca868e86cb361e946a8c6fd0beba9d5949de682 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\osmdp64.msi.[sepsis@protonmail.com].sepsis | 2.30 MB |
MD5:
3b09458882c91c06db45a8036a963bda
SHA1: 17d33df3defa238d2d6ba933c24c0c648274a32d SHA256: d1c4d43767cd10ddac2a4ce38db5ce08d28df5f7ca8f123fb7552ddde6d9b89c |
|
|
| c:\program files\common files\microsoft shared\office15\1033\osmia32.msi.[sepsis@protonmail.com].sepsis | 1.73 MB |
MD5:
0f299c2a63890deeca9861ff427d1a91
SHA1: ce6d17cf73c38d4abc4dc11a9f75dea67d5eed21 SHA256: 0021b1fff8b2d5358656b6c22c935ce2294ae9f059594a0445feb03ee8517c29 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\osmia64.msi.[sepsis@protonmail.com].sepsis | 1.77 MB |
MD5:
5f94fc6d7000ec07eab968cda69e9c43
SHA1: 3d30076587e78ce20e9a239e35a22db5a3338f5a SHA256: 7316284f92a7fb4dfefe57f0ce52c76fa2b24f9ad2b7b57a4e7d1c1f18c92e61 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\readme.htm.[sepsis@protonmail.com].sepsis | 0.59 KB |
MD5:
2c1a30b17e42db7703d4bf23ef0e7029
SHA1: fc8caa93324e7574d1deb61017689d7bc1ce8955 SHA256: 18e2826bf256d1072d4f933f20b96b2800d2ed359316c99276357e2f23100f01 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\xlsrvintl.dll.[sepsis@protonmail.com].sepsis | 256.31 KB |
MD5:
af238c549f1c5c8c9876e7a2a8c21063
SHA1: 6932821d642411327a3983ad17ed866d8202e7f5 SHA256: 223c21269e7f5b898bd61824b8460222de0ce89c70ffaac94aeb946cb214bd6f |
|
|
| c:\program files\common files\microsoft shared\office15\acecore.dll.[sepsis@protonmail.com].sepsis | 2.17 MB |
MD5:
c38c8e56896e4b6f62ba80600da2b576
SHA1: 70bc45e9f8c74b0dab7bed3c6480b7803c33833b SHA256: 16a27ed87324a63e5f07bce00d5e1c65c77952a93ad956dacac865798c8a344f |
|
|
| c:\program files\common files\microsoft shared\office15\acedao.dll.[sepsis@protonmail.com].sepsis | 602.93 KB |
MD5:
b49efe9ba26919fdc25b2d725bf9ca5d
SHA1: 3753cbeacc00511bc63d961e0f711a2885acf12d SHA256: 316aee7c9032c96299e0de908ccada5dd238b85dfd6f98aaf386e051c962d0ad |
|
|
| c:\program files\common files\microsoft shared\office15\aceerr.dll.[sepsis@protonmail.com].sepsis | 39.89 KB |
MD5:
52faa02dc4f12dde07bcbb65b69b8dad
SHA1: 70d60aa3a92822afbca25fe3f351e20ac5b70379 SHA256: 81249bd83a227142303d2a7830d7518ed14f6a4635f49314c30374784968d736 |
|
|
| c:\program files\common files\microsoft shared\office15\acees.dll.[sepsis@protonmail.com].sepsis | 857.41 KB |
MD5:
5bbf849c53adb02a9b4a3d080a8b640f
SHA1: 9f6cc88a83abacd313ebeb3822fec21f46cc4a06 SHA256: f1e61402c69c706852a9d7628260cc3fc5ed5e570e1cb68a8c70abd8fce7c20a |
|
|
| c:\program files\common files\microsoft shared\office15\aceexch.dll.[sepsis@protonmail.com].sepsis | 242.40 KB |
MD5:
468a7549fd149f275b10d752e0c82e70
SHA1: c0979060ffa7bdd5a3114c3324fd97328b2525b5 SHA256: 0822a586a050383037406804cd4f12acef429c04ac65526178d7e3ce7bab5557 |
|
|
| c:\program files\common files\microsoft shared\office15\aceexcl.dll.[sepsis@protonmail.com].sepsis | 520.39 KB |
MD5:
4c7c5981f3c2a5957b45b1776220b4b1
SHA1: 0c2981582c44e8505b9ab0e5a3a5d6d64b466652 SHA256: 03bcc12d0d6ac68d9a5eb22cfdd89024a5db19104487c68191fcab14dcca395f |
|
|
| c:\program files\common files\microsoft shared\office15\aceodbc.dll.[sepsis@protonmail.com].sepsis | 329.92 KB |
MD5:
ff346c9665b7e9e82af69a53d8b1429c
SHA1: 8055bb69845508584254f90300b0813978a54823 SHA256: 416917c48d2e02048bde833bd94534d068f07ca2140cfd418593894594efa40c |
|
|
| c:\program files\common files\microsoft shared\office15\aceodexl.dll.[sepsis@protonmail.com].sepsis | 16.32 KB |
MD5:
1f484a44f88da05c7dcce378c509d184
SHA1: 51c76770f274a3e56c4d2901a064d30f3baa6246 SHA256: 17b9a7f50e3df33ea45ffb85e05cc6fc5dff1f69eaf9d7cf963b58c4def23d5e |
|
|
| c:\program files\common files\microsoft shared\office15\aceodtxt.dll.[sepsis@protonmail.com].sepsis | 16.32 KB |
MD5:
29a19ace4b25eee1bfd424e366d47dce
SHA1: 325fcdbe3b92055ab27d9f2f5930a48b44ea2035 SHA256: ef32bcac712cbccd06050f46febc2e1fe0a3b137979983651741c86837ea1499 |
|
|
| c:\program files\common files\microsoft shared\office15\aceoledb.dll.[sepsis@protonmail.com].sepsis | 434.40 KB |
MD5:
5f559f7baa58dc93bc354d3f58765a64
SHA1: 32bca4100aaded3f9ca0a00bc39f72fe64a8c018 SHA256: 46674b4a9c0959840c2cc0bcbda88f46c745863bdc0c08f15c1409f539e60310 |
|
|
| c:\program files\common files\microsoft shared\office15\acetxt.dll.[sepsis@protonmail.com].sepsis | 198.89 KB |
MD5:
a87956a3fae7d10956b7a6f122cfd807
SHA1: a78393563b3626e5247557be3935583320e9d8e2 SHA256: 3bdee139de0d75411cb7cf8e5943384ad903e7a8295481720f15769195f8c715 |
|
|
| c:\program files\common files\microsoft shared\office15\acewdat.dll.[sepsis@protonmail.com].sepsis | 2.91 MB |
MD5:
f7e483ce003ef580ee6f7572ee09c914
SHA1: 1fdfb454abfd257e0d0a087d43799f9d667e2ea0 SHA256: 05eb82fdffd6c6ef627b2bdb557cfbba768f6280d79cb65d9f7ec1f4edc23cf8 |
|
|
| c:\program files\common files\microsoft shared\office15\acewss.dll.[sepsis@protonmail.com].sepsis | 306.90 KB |
MD5:
7197d73393763191cde8ab7fa429821d
SHA1: 45c7e7c2c69c75f541c67bc90f55aec0035786ff SHA256: cf74f95a22ff86b23f589a6229c94b59685bfbd2b62c1eaab2cc691f2e0b3f71 |
|
|
| c:\program files\common files\microsoft shared\office15\adal.dll.[sepsis@protonmail.com].sepsis | 852.84 KB |
MD5:
e71420c3b7525406739bcf2b4acf5da1
SHA1: 27c0469956357ac7d4e8d0bf7441dfa281d7a379 SHA256: 759e788d30f00e4ab556b864b337813811eaa0619bd074e81a8d94b658f41aa4 |
|
|
| c:\program files\common files\microsoft shared\office15\cmigrate.exe.[sepsis@protonmail.com].sepsis | 6.78 MB |
MD5:
9f725b0706fda1c639d4026b5bde2aa0
SHA1: 0cd8377d8a3d74a0a47111938f180aab4731fbc1 SHA256: e1299636ddaf703af48d75620110a84467a024e97886f034e82eabfcf45070e5 |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\boot\bcd.log1 | 0.18 KB |
MD5:
9d545a04b7368d29972e89376eeeb264
SHA1: 0e819aef207a012e2d068ca32360ac65b6bfcab9 SHA256: b4dd973aed2766bb439db73e91d88cc945fb283e68e437c2e330ce652e0123c5 |
|
|
| c:\boot\bcd.log2 | 0.18 KB |
MD5:
9d545a04b7368d29972e89376eeeb264
SHA1: 0e819aef207a012e2d068ca32360ac65b6bfcab9 SHA256: b4dd973aed2766bb439db73e91d88cc945fb283e68e437c2e330ce652e0123c5 |
|
|
| c:\boot\bootstat.dat | 64.00 KB |
MD5:
f5f732c22575bee4bba87805f554b311
SHA1: 16d12675c2c07f4194b57307ec887a03de5d6299 SHA256: 0c86848f3f2c2512e66819c64ba67c85b02f7241df3d850edcdcf18063f2953d |
|
|
| c:\boot\bootstat.dat | 64.18 KB |
MD5:
4ea95f48d0f2d0e5b75802d21c075970
SHA1: cc14d658ed5360f09019758eab9bcdbc17ef315b SHA256: 0a468b854de09777e9c8cbee51bbab967207821070105daea6832e8d58b8bfa9 |
|
|
| c:\bootnxt | 0.00 KB |
MD5:
93b885adfe0da089cdf634904fd59f71
SHA1: 5ba93c9db0cff93f52b521d7420e43f6eda2784f SHA256: 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d |
|
|
| c:\bootnxt | 0.18 KB |
MD5:
75083afb5f033e0d63f25e50f64f1641
SHA1: 0390bc6aa882f0cda5a80f382a544087bbbfb2ba SHA256: ba1194ff004e688f680e9426e8a2d8b55c250d103b97267361c4f2a0042dd8cb |
|
|
| c:\program files\common files\designer\msaddndr.olb | 15.61 KB |
MD5:
1108df7d19a17c500de8ac684950d742
SHA1: 3588c2cefafc75a8770efd61a29d9b49419c4bc2 SHA256: fbb1b8d5cf7b943ee9367e5da820ba3f10bdc40acdc0459ca4a27dc7ee5762e9 |
|
|
| c:\program files\common files\designer\msaddndr.olb | 15.79 KB |
MD5:
228da1815eb645b81cb702ba4c93d3e8
SHA1: d683d6a5399d65be44ea7218a6c8134e187e6f48 SHA256: cfac4d55bfc01bdf961127632ac255478390794a760de3030776396c413b18af |
|
|
| c:\program files\common files\microsoft shared\dw\dbghelp.dll | 1.31 MB |
MD5:
312289e1292aff1d25bb6a7df4d2bbe2
SHA1: 9ad793bcb21e3e9b18d840c00c8ddab567bac5f5 SHA256: 90074968c979523b006746c21134550ccd7067466cfe24b78276c72fbf48be74 |
|
|
| c:\program files\common files\microsoft shared\dw\dbghelp.dll | 1.31 MB |
MD5:
4679ab1652b6ae68dc69edade0a027c0
SHA1: 759b229ea4cf5e82296605071de808829199c353 SHA256: d00503057698662823a786fc3699cd36679e905690bb2d19d424b2cb5eadc3fe |
|
|
| c:\program files\common files\microsoft shared\dw\dw20.exe | 974.20 KB |
MD5:
21587eaad3120394426b036fc5b7277f
SHA1: 5839ab008b6d865f76f1929963d25d1c47ee5524 SHA256: 9388cb208954158e0cc3c8647dcb2d476d9bff5b80006587ba0f3524c2f4429a |
|
|
| c:\program files\common files\microsoft shared\dw\dw20.exe | 974.38 KB |
MD5:
58435dd3eed646e1eb9e69d039a8fa91
SHA1: a8cc9afd1509c53b8b3e60011b9b7e621e7f10fb SHA256: c0ee6d2f1c8bf01c38eb9d6380adcec6cf4a8520ca82e756a92172aa776c86a1 |
|
|
| c:\program files\common files\microsoft shared\dw\dwtrig20.exe | 574.23 KB |
MD5:
f0ea9218b3c1f961873efae9ac82a20d
SHA1: 816e816ddd31adb7e90ef84d69d7fc793679bc21 SHA256: 0b9173716de68122af51e8f955926f062e296619a9dbc043d2d4bc93e9078b2f |
|
|
| c:\program files\common files\microsoft shared\dw\dwtrig20.exe | 574.40 KB |
MD5:
0600feb1e31732b89988e3aafb444016
SHA1: 88d595150a145510984b09d0ccbf860fc9d63682 SHA256: 168d0ce4baa65d6f36d6d974469c3007b8dde7998fe3904d027bd8b9e971490f |
|
|
| c:\program files\common files\microsoft shared\equation\1033\eeintl.dll | 62.59 KB |
MD5:
f3e1265f2f72f0f30464c19fc0d9263d
SHA1: a63a10d4b34916cfc0d1b9d990244710b25b4b0f SHA256: 092167fb8180160d65ab2f79cc9fba22ef91580af15be7bcddb27ac5613f34dd |
|
|
| c:\program files\common files\microsoft shared\equation\1033\eeintl.dll | 62.77 KB |
MD5:
51eb3a059480b7576659efb1bad7f521
SHA1: 52934a488d2e7496332dac9fda1a1ee7c50da281 SHA256: 6e24e0590625060c7516290e4b35267a2edb452828da9c4de3304fe424ab7e49 |
|
|
| c:\program files\common files\microsoft shared\equation\eqnedt32.cnt | 2.50 KB |
MD5:
46ce3a6fe2aac3523a07e8f1c8a29660
SHA1: 2cbe46d709c3229fb789a28bbd3dcb75bdf891c0 SHA256: 113948f5486837f5b352cdc34558a02ac95ede605dc271205ec702280aa1ef11 |
|
|
| c:\program files\common files\microsoft shared\equation\eqnedt32.cnt | 2.67 KB |
MD5:
854d72551d4d99dbb6cc756ffd9e8738
SHA1: 68f9f153c4ef0fc748d75dfa8e791cd0d1544f39 SHA256: fccf5a199f776e44ceddfbbc2b7c566e0ef5e961eca803fda6484ff9091b23f6 |
|
|
| c:\program files\common files\microsoft shared\equation\eqnedt32.exe | 530.57 KB |
MD5:
a87236e214f6d42a65f5dedac816aec8
SHA1: 601f4e8cd6b1c5fcd8f0be4acf01a08261a07b94 SHA256: 3c4a68070f3d7f14e488ae4f7ede8e7add0f8029995dc800833126ca062a2c6c |
|
|
| c:\program files\common files\microsoft shared\equation\eqnedt32.exe | 530.75 KB |
MD5:
5b61ee119abfba50caf9100f8b687924
SHA1: 7001057ce7fd9edf64caf1ffc09345fdb43e7205 SHA256: 436f592ba523b6fbd9a355d227e1888f9fdcc27692f3874c3dfd8720470843c2 |
|
|
| c:\program files\common files\microsoft shared\equation\eqnedt32.exe.manifest | 0.55 KB |
MD5:
0b62cc4ea7d04f52dce02f386bf96712
SHA1: e1062f7bfb53a6be9949c6b51384068c07251369 SHA256: 7b06b9fa9c8063bf62a3851ba8b89b30e157dd98f14c1c6ecdc430c84f834df3 |
|
|
| c:\program files\common files\microsoft shared\equation\eqnedt32.exe.manifest | 0.73 KB |
MD5:
0194439975cb83f3c5216d7ad3f7babe
SHA1: 277bc16091bd3db68b0c9a858f9c3e5b1234511c SHA256: 35c13133831490c8f803447c90b44094a659416186f898448e6130e4a5f8962a |
|
|
| c:\program files\common files\microsoft shared\equation\eqnedt32.hlp | 172.18 KB |
MD5:
e59fbd1656036dfbd76c4392a56d3b8a
SHA1: 54d3c638053bf5a6584430881aad67cf3ae78aac SHA256: 52454f03fc9f71121a5d0a1c87a4d492f2c5819acc5c32448cc5c7e5ee801fe0 |
|
|
| c:\program files\common files\microsoft shared\equation\eqnedt32.hlp | 172.35 KB |
MD5:
9dc9a598750e702b78db22642270e816
SHA1: 50898393625d36d392fdc60fc69d3196d8db9635 SHA256: 8f39dccb819276c7b8671ebcf15bb236f6630bc80a3c5ea2196876f96a21d259 |
|
|
| c:\program files\common files\microsoft shared\equation\mtextra.ttf | 7.48 KB |
MD5:
e269de5f63fcdedca11755947615f1fb
SHA1: f36d544ffaf7cb5112b502dab224087e9b323e38 SHA256: 6c469962f33b7222f07b8d1ae8025f177f4a5f5db3eb62fa1523f261a270991f |
|
|
| c:\program files\common files\microsoft shared\equation\mtextra.ttf | 7.65 KB |
MD5:
bcae409c119f08f9fbcba36fb1f3996d
SHA1: f16eb9b6dfc87c6f1488572f79a27b60c8dd87f4 SHA256: 1c6a5aed2a55cc4ecf1e123c9ddc5a15ff6e70e1093a50d0c2716a453555a4b8 |
|
|
| c:\program files\common files\microsoft shared\euro\msoeuro.dll | 31.61 KB |
MD5:
9c8947698f2569829b573b1f1c4f34d0
SHA1: 3ac471cda1cd626ebd6fe007b33b761f355eac3c SHA256: 02a0429f14bad6963cf48ac29bac2693e073c29f34d8d13e09e772cdac46af87 |
|
|
| c:\program files\common files\microsoft shared\euro\msoeuro.dll | 31.79 KB |
MD5:
b9f03b53f35e476502bd2aa3a7e2e0e7
SHA1: e9060b4c87dc940c889a04615dd023d123bea84c SHA256: edeaff47c6510fcc1a1ac4365332bcc93254972475b617b0379ba89acf14a9ff |
|
|
| c:\program files\common files\microsoft shared\filters\msgfilt.dll | 39.12 KB |
MD5:
c93e3219fe53ed2d5313c78581cbda28
SHA1: 157f92c567a59463dbba28af4b48375851640c8d SHA256: e1c1d2a6478f9b34c00be31e7b36257917553bc1669ad0402b653eff928d3316 |
|
|
| c:\program files\common files\microsoft shared\filters\msgfilt.dll | 39.30 KB |
MD5:
2afb39ab896ddcb4c51fe2e75c6cecbd
SHA1: b3511398b7395c490924589ee255b04f1a50e205 SHA256: 163996e0c5a32e04f2ecbbdd474f53eca8ea0596ad77dffef41b9db4aa8605d4 |
|
|
| c:\program files\common files\microsoft shared\filters\odffilt.dll | 940.66 KB |
MD5:
6c945b72dd789c42b63d57a2865ccaeb
SHA1: 7e176b93cfdd9eed36a7849139dac85520e9ba3e SHA256: c3d94190de397ecaa4000431b3a2a4fb38adba1b2bb13eb540604b8e42ec4343 |
|
|
| c:\program files\common files\microsoft shared\filters\odffilt.dll | 940.83 KB |
MD5:
ef0d4357983d69bd33bf1419ee975f1d
SHA1: bf661ac03f4b37ed94420bb4bbdf7ac837eeb03d SHA256: e9cadc9c3a3ffb7dec58c32e0f433e90fa3c7df57e40276af79875de2f8ca2cd |
|
|
| c:\program files\common files\microsoft shared\filters\offfiltx.dll | 1.12 MB |
MD5:
ddb9ea671acd9c931d308c71b2643bfe
SHA1: d98492990a6c2001d1f118073d338aa13d77333c SHA256: a4caf9011f5821070762dad99393106235b7403e9708b0a96af8ebfd31e5dfcb |
|
|
| c:\program files\common files\microsoft shared\filters\offfiltx.dll | 1.12 MB |
MD5:
22cd6893caa9d3c373afa2cf77635f0e
SHA1: 9ac50bc7adbddcd7b7c3f3d34321cb681e45aeac SHA256: 36e5cc3a0661bfb3f27aa8a52f762f4c3e3f86fafcd5b6f2136d3436e00f8668 |
|
|
| c:\program files\common files\microsoft shared\filters\visfilt.dll | 3.74 MB |
MD5:
3aed295cdb86b67ef6d20e8a6e1fb765
SHA1: 7e763738ec6a78dea41079124d4f87868d34328f SHA256: 3992c0be7ae184fd156150e6807bac2d2b5342a2e93d56c153670a5ddda469bb |
|
|
| c:\program files\common files\microsoft shared\filters\visfilt.dll | 3.74 MB |
MD5:
0520ae921464d91df95d8173d8cf892f
SHA1: daa669d055663233a2a0db4f7e769916cfebb7bf SHA256: 3caac82d10cc4a029e96df56377e1c22e2e0f0d4a20bfa26119172d91616d479 |
|
|
| c:\program files\common files\microsoft shared\grphflt\epsimp32.flt | 635.15 KB |
MD5:
9bc53132f679cc81dc035fa517996f07
SHA1: 57da96b6aed705a5cba131aa4f2498b3aa5e4b1f SHA256: 9dbc949ecdf073a05b4ea0ed3e0101cfeb5c65e86b3cb4ccbee656926c18945d |
|
|
| c:\program files\common files\microsoft shared\grphflt\epsimp32.flt | 635.32 KB |
MD5:
f01a01b90023d35a294d577deded09c4
SHA1: c3c982d90dd4caa3f6dfb2c5c99b815220a1ead8 SHA256: de925baa026e639f8784a60f57e8918e53e8a83eb532eeb17976e133977a08fd |
|
|
| c:\program files\common files\microsoft shared\grphflt\gifimp32.flt | 250.13 KB |
MD5:
8ccbfd3c7d29199e24e635aaa40a6915
SHA1: 5e6c74b566ecedf7796a68ac05c7f8d1b8d75906 SHA256: c9a6f70b49d71e1cf02d81c07901d684380d6ddab3850d61066585c21dd6f7ec |
|
|
| c:\program files\common files\microsoft shared\grphflt\gifimp32.flt | 250.31 KB |
MD5:
6ac34efd31c14552b76654152f935c00
SHA1: d70d77b43532c14ae4090ed8e0a22643ff865916 SHA256: 506607a15f783ff167521d4fcd6f23246d4017f0d63db885e81a9729d72b5b9f |
|
|
| c:\program files\common files\microsoft shared\grphflt\jpegim32.flt | 228.14 KB |
MD5:
3ea451c27cf508eb310fbed92948e58e
SHA1: 36ad524136d710d094c9de0cf0070901383d69e6 SHA256: 15d659e67d300d340db898395d9f77a4b93eec7a7402c8a91a160bfd46589427 |
|
|
| c:\program files\common files\microsoft shared\grphflt\jpegim32.flt | 228.32 KB |
MD5:
c185e0cfcb57b9a1866fc3e1ecbc94e0
SHA1: f95072cd0eef0145ae595554494e0d172ed6ced4 SHA256: 5118411007a7bc2795b566400c3994cae10b9d6960bfff4c1cd6d6b657333bd5 |
|
|
| c:\program files\common files\microsoft shared\grphflt\ms.eps | 14.71 KB |
MD5:
2d6e9b31482030d4fef06bce9365cc76
SHA1: 4058b74ba434624ebfea89962382dc10c3751f7d SHA256: 984fc67b15e46d58020e218e7b63d4b07130410e456c38e15c180c1abedea377 |
|
|
| c:\program files\common files\microsoft shared\grphflt\ms.eps | 14.89 KB |
MD5:
b89c66ae83ee319c47ef70aea07d4f6f
SHA1: 1657ceb6734e2283b199173665836d951c1b5ccb SHA256: 2830f64ece6ec6cfe9a8350cb8e36fc6d7c4075a92f6af8739b3e21da3e36622 |
|
|
| c:\program files\common files\microsoft shared\grphflt\ms.gif | 1.04 KB |
MD5:
6936f4ee421c9242c660de4dfd7191b6
SHA1: 0ba478de375a06803fe995b44fe647ecb9343ad3 SHA256: 827f3149a54c5bcd6fc435953dca7a7806f76d6f9da89409d8763859233df933 |
|
|
| c:\program files\common files\microsoft shared\grphflt\ms.gif | 1.22 KB |
MD5:
e8b4fcad81b1fc2f77bc2bbc86c74428
SHA1: 0edf6d2383163920e473e19114109abf26916aa8 SHA256: 3ba1141f77ad6cb0631528a39cfdebd4783ac5e957792c9c94f3a4db916cfc54 |
|
|
| c:\program files\common files\microsoft shared\grphflt\ms.jpg | 1.04 KB |
MD5:
a1b434ea0c57b8f8b234d7dddfd67d5f
SHA1: 96076c20a1ef80baff7f0ff7e8d5804133425735 SHA256: ffb1a4dd4b6da771d46def621cf71421051203606aa1d3b64b73e92606328ecb |
|
|
| c:\program files\common files\microsoft shared\grphflt\ms.jpg | 1.21 KB |
MD5:
bab08a48799d6bceabd6ffa69a45adff
SHA1: 912f5ceb4061fe42b901d97c5af31c4cb06350d0 SHA256: 4ff4728b8d7f3e8a7722a88f24d613b286cc5e79662ec763ea72fde87b60e90d |
|
|
| c:\program files\common files\microsoft shared\grphflt\ms.png | 1.64 KB |
MD5:
3a4407be2afbd8b0348459d72f94127d
SHA1: 15e832c2647e3b819fffe933bc19a4e22a64ad3e SHA256: 39d247ae0014a175ec24ce5207b08f4017328cb1aae8916b046b5ac954899442 |
|
|
| c:\program files\common files\microsoft shared\grphflt\ms.png | 1.82 KB |
MD5:
0cfca8e12b1969e69a50d379d1e0b0a4
SHA1: d4940905210412d428d32beb2bdb4bcbaed3a583 SHA256: 756e173f860c789ec89215b77998efef4319aca90f3b0b570ec8c362c8314792 |
|
|
| c:\program files\common files\microsoft shared\grphflt\ms.wpg | 1.35 KB |
MD5:
ed21686acf6f81430b47aadd809139bf
SHA1: 5c02852a8b28fa336c273d0787a49641259f38a5 SHA256: beb31af1581af2866335bd0ad03d916b24c7bf6aeb707c703b6f40cfc8f0bced |
|
|
| c:\program files\common files\microsoft shared\grphflt\ms.wpg | 1.53 KB |
MD5:
f8e664a4cdddccdd94a2e001a154d7c3
SHA1: 3b8d80d7538aaff83fd35ce50bdecfc965189c95 SHA256: 7b4b523dfb131121c8aa23cd3fc71dcd2fb2c2b6d6f7eb8537151d8499a48e0e |
|
|
| c:\program files\common files\microsoft shared\grphflt\pictim32.flt | 74.65 KB |
MD5:
54a242b8e991dcc59204db3001d6cc24
SHA1: 4d8d59da07b8d81046b0cab6758465127b0116ca SHA256: 356c9cc04da8de17db7fbc3e8e5c980ea6a2b013cb99cdd4403462a5de2623e7 |
|
|
| c:\program files\common files\microsoft shared\grphflt\pictim32.flt | 74.82 KB |
MD5:
8b806f7da233198cbec9960a05c1aafe
SHA1: b217f887daf47143da6375f76b17845caaa07383 SHA256: 040644b7a36c09f68d25f524e15f81c97ebced94342ad5d1cd3b07b6a4d24cef |
|
|
| c:\program files\common files\microsoft shared\grphflt\png32.flt | 271.66 KB |
MD5:
4bbfc518967193c7be4a6d7838bd3999
SHA1: 4f7fe874ad2827dc11340e8ecfb83a844aa502d2 SHA256: 7bdd886c4abc19050d69dc8d0ffa51228d9237884cd438331865b87262c8016c |
|
|
| c:\program files\common files\microsoft shared\grphflt\png32.flt | 271.83 KB |
MD5:
8a86d7d639eb0ec65fa33f7c3bf3caec
SHA1: 88f03253366b74e934d6e8a075488e4d9de2f52e SHA256: f3ed9aa3e03b266572274e6ee73e3608435015169625402032a03a2ec09129be |
|
|
| c:\program files\common files\microsoft shared\grphflt\wpgimp32.flt | 263.66 KB |
MD5:
bcc1e13f8993204b6939b1d153fe3c44
SHA1: 313c4e1ad1507068beee561e0378fb491b871944 SHA256: a70572beede87eb6d3fc42d33d2dcffac69049e2d9f592ed330cd7e9c6e0aa87 |
|
|
| c:\program files\common files\microsoft shared\grphflt\wpgimp32.flt | 263.83 KB |
MD5:
31d015ed828cc0b1709be03f1683e558
SHA1: 5e4b26033a9a29e2121387bc461ae02e3ac8a8b2 SHA256: b9109453cf2bfbb128159f934a3e67faff1a4ee8f38b76d1bf3b22e3a5987550 |
|
|
| c:\program files\common files\microsoft shared\help\hx.hxc | 0.78 KB |
MD5:
fc6f9e1fd2cd944dffd548bae8ab2fc3
SHA1: 18ea2e4bde2874472efcc16a43c8c9774acd37fa SHA256: 24f3d1d585a06151ddacbfb1ee9512f554348d1e2bd8f8e3bd1bce3f0501f919 |
|
|
| c:\program files\common files\microsoft shared\help\hx.hxc | 0.96 KB |
MD5:
5a910a305d21654241d1881dd6b2ca98
SHA1: fac1e073a5820950c7805fac75380def45b93976 SHA256: 52f465b6655509ec4d8dd902ed101d69f88fc5160ba515357c5b2e8035c7a306 |
|
|
| c:\program files\common files\microsoft shared\help\hx.hxt | 0.17 KB |
MD5:
868dec059e20c7f28ba2805e6b047e44
SHA1: ed0f824a2319e2009dd8cd66cb3bfdb4035177e4 SHA256: 137bf5ec736bd430929690afc8fc92e999c8cfe08a4235d599cd1fdec9075762 |
|
|
| c:\program files\common files\microsoft shared\help\hx.hxt | 0.34 KB |
MD5:
332f8938a6dde0047ebf514b38118915
SHA1: 11258317cb082042b126f9d0a4d1332b98a52f6e SHA256: 3729ee9975b714fef76a42b4d77fd4242fc8489f3c84c87f5088b3e4c7c45b55 |
|
|
| c:\program files\common files\microsoft shared\help\hxds.dll | 1.18 MB |
MD5:
33061148aeaadf431d0580d42dad55bb
SHA1: a02a0e367bf58098c05031739050e8d64b02001c SHA256: d839ddc0780bdb9a01632a79d065fa5e050ebd45961ac3c73039c522248b624c |
|
|
| c:\program files\common files\microsoft shared\help\hxds.dll | 1.18 MB |
MD5:
667f6c344628b16b732846a33ef8729a
SHA1: b6813117ca3e3964cbda66d36123878616f8b285 SHA256: ce71b282e803bb143ce10e680678de427e9e6373d8625f046a7e877c4e2d2a4c |
|
|
| c:\program files\common files\microsoft shared\help\hxruntime.hxs | 27.23 KB |
MD5:
382c886fd239f3df7e8b8d6958df8f2c
SHA1: 68772e09e649eca0b229976dce85d4e1c1c9b96e SHA256: fe9702b0ec12b5d86a079f753c9e9cfe29f30714c34eb38904ea3d6a27a60961 |
|
|
| c:\program files\common files\microsoft shared\help\hxruntime.hxs | 27.40 KB |
MD5:
69b22a0aa6b2e57404fc7f60f7de9894
SHA1: 94197a64b2dcf3c09550efd309060754b0de9398 SHA256: 156fc56ce03ae51a79ef0743bdfb5fc1336717d899a6f813446dc26d75cbadbc |
|
|
| c:\program files\common files\microsoft shared\help\itircl55.dll | 1.72 MB |
MD5:
f92f9c6dafe390da792c63d84b927672
SHA1: 8eee9b85789becb184ff6576ccc1113152cf5da1 SHA256: 7804a26e4e6e682fdf642c18a3dd7bd05aea429868f0c200b061cb62afdb0729 |
|
|
| c:\program files\common files\microsoft shared\help\itircl55.dll | 1.72 MB |
MD5:
f24d563717ee2f63156fb105458c05a6
SHA1: 4a998e2f9733e243fda92b335f5d8ca35264dde5 SHA256: 27388703598ba072ce4802e4405458cc1a6a04bf11b8f8afe3d67aa62414e201 |
|
|
| c:\program files\common files\microsoft shared\help\keywords.hxk | 0.13 KB |
MD5:
9543c1e9a5d5f39bcfbebe1a07b76826
SHA1: dc38edfb5a39e3ac7e6d42810656ec888a24146e SHA256: ecaa81ff698af2f4d795128d0d218b4171a69cc0c6a9bdcf52c92e0fc2454ad0 |
|
|
| c:\program files\common files\microsoft shared\help\keywords.hxk | 0.31 KB |
MD5:
a090c1a1b74ff8085781f2b8e9924887
SHA1: a74ae3151765acf4ea9e0b7849e8d80c9aa100e6 SHA256: b20c0c3677553e1cc34f680aa1f13e7e10650cae310f1a594290967dd16f4a60 |
|
|
| c:\program files\common files\microsoft shared\help\msitss55.dll | 434.17 KB |
MD5:
a74679c355958740b5165736414df2d2
SHA1: ef5e79accbf25fb1096345ed92fcac223d4a73b6 SHA256: cbd70817a676fff0dc1d70587f28313867f9e9783bdbae2b7191301d4cbe210b |
|
|
| c:\program files\common files\microsoft shared\help\msitss55.dll | 434.35 KB |
MD5:
1764fad1c166cb87ce23f9a2a73b5b5f
SHA1: a358df20202c117d1a93b654a9e4f1ff236f66f4 SHA256: f1e1d4301138e16d80d1e208185c0a622c6f4a818d9b8c95d78b23cd3c9b1114 |
|
|
| c:\program files\common files\microsoft shared\help\namedurls.hxk | 0.14 KB |
MD5:
67d7183cf742812fe8f2466eebdb114c
SHA1: 465770f3be0a5a578e0a1776f4c4e7238caceeac SHA256: 7ac8ae8fbf69e7dcba2dfc3b74c7f1ea9ca1fe85b73d0c096b8cf5d80e036931 |
|
|
| c:\program files\common files\microsoft shared\help\namedurls.hxk | 0.31 KB |
MD5:
c29d9f7f3aff22bc50b2e2bf802b5fc2
SHA1: 90b22a9ecfb0de25572bbb448c91bff1c2eff84d SHA256: f27c7a2b9e3653570e783d532f65b1818eee9dc4f550f35e036d03b91eb88e17 |
|
|
| c:\program files\common files\microsoft shared\msclientdatamgr\mscdm.dll | 474.17 KB |
MD5:
5b80f96d7c2f1bab0df4a29f6761f9af
SHA1: 3254803fe75a88b45fc9f728c7bf00990167b607 SHA256: 28fafc6faf5765db748c736ac82c49d9cc8c32b5a6cab842dd7357484f9878b4 |
|
|
| c:\program files\common files\microsoft shared\msclientdatamgr\mscdm.dll | 474.35 KB |
MD5:
1e53c61737cdd277038516efce7e5a2f
SHA1: 93e625cd64dbf7459de2e5be89263bbf37199ccc SHA256: 662dbbcd37052dbe3271e56f84a0796cd5d957e51de199c29b90ab2a5e245d8e |
|
|
| c:\program files\common files\microsoft shared\office15\1033\aceintl.dll | 196.70 KB |
MD5:
ed0f71ba2445385829287a632e7c8c5f
SHA1: bb28e5d9f397cba17fa0f3eac30b9383ed1f4c49 SHA256: 65cceebd453d0ccf88114f4db6d17bbf4580d41197a83ccb19b812be88da24a6 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\aceintl.dll | 196.87 KB |
MD5:
be8c8fea5988a4e1f7f26d8eea4edfcf
SHA1: ac03db4447aebce19ecaf6d371c6c7d10442255e SHA256: 6238344ffc7f7d2338349d4b4447ed5331e3a0cd0caaa8dae58a7dec6b0d8a11 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\aceodbci.dll | 52.19 KB |
MD5:
10544b35237102a985b5f53d666424d4
SHA1: bb00a347c06c3408c2c7d7314a582cd5da09c272 SHA256: ab8a0622e935c69e8d4ba839f06153e5230dcd684939270630dc2fddebb87d5a |
|
|
| c:\program files\common files\microsoft shared\office15\1033\aceodbci.dll | 52.36 KB |
MD5:
9e9e7daf3a4499bf1a0b01b5a0b31d24
SHA1: db30fdf794c98a834239bd948b6ca328df366b74 SHA256: 1a80a33aaad3e641ea485158a127bfc2ba07c55aae05e823b71226ea6b96bf95 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\acewstr.dll | 839.17 KB |
MD5:
10ed6c90286e20b5775f08ce51dab3fc
SHA1: 5aef92733452f766d524fc2f9433e02db6e5fb98 SHA256: b6e6ca83d7c32093ad31db94e75b4837f2851a7e21c4467bf37f26d268830606 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\acewstr.dll | 839.35 KB |
MD5:
9ebcdfa5720d1b4d0676a1b90d6050c6
SHA1: 9f1303873f9bcf255949c5ae47ff7ff0a8018247 SHA256: dfa0841cae6fb52b0d14a78dad5bb7db6bb9e5e9b8d9cbb0813629c53e83257e |
|
|
| c:\program files\common files\microsoft shared\office15\1033\ado210.chm | 1.60 MB |
MD5:
07f24da6c320ab7b6dfe820fb68b676a
SHA1: 1ee30ea1e0ba5d1e06bf1e9b0ee6139adbd5d8ad SHA256: b8d6e8020044e60b44c22c45d64b6c9ee13606c612ea0da946ee05d0d01e4b41 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\ado210.chm | 1.60 MB |
MD5:
53fa6ab167d4cf68f5485a827c9f5426
SHA1: 1d38d51435d660e62f23a3aa851401bb1092bdff SHA256: 798c229d9384dc338d2bdbe1163b4bec541137c700e9e148953c447ae97971a2 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\alrtintl.dll | 150.59 KB |
MD5:
89ce4d1c870ab754d6a197c042466942
SHA1: 98d89cf3573c2fe86786837e0a1e6e21c798136e SHA256: d8ad0522a2cafd00fc360177b7102f9fe1c8a5243a8b00de377d971fdff763d0 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\alrtintl.dll | 150.77 KB |
MD5:
e4e7bfa9e0b14f5ead56a1e7b5d6f436
SHA1: b6054cc98f146519f3bb00a044f85b85ae2e2de4 SHA256: 1929c76bbbf9f8252ccdb2d16d5ab1e5c62a76b4acb04787386ffcdf6f9c10d0 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\msointl.dll | 3.46 MB |
MD5:
8f9811db3ddd440e2601027eb756a42d
SHA1: 7f763efda83358603474804c53ebc6f318931263 SHA256: fa56b4f2c40eb59d3d29fea8644024d500bf79b15e1c5d8266372887f8a01e09 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\msointl.dll | 3.46 MB |
MD5:
ef3ce4d94d705066ae8d508bb577fc8f
SHA1: e79f6cf9b060cb29a46d51e308b4d49de2532f8b SHA256: a9e19978f5270b2ae51ba2eeac974a7ab6c7d2c1653a11142cbb0a647af37a09 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\msointl.dll.idx_dll | 51.64 KB |
MD5:
7b34955960ff21d45655ac01ec973d14
SHA1: a25e476316e50892c84b7e5030bb19d177338cba SHA256: 47ad666d0f101d1b6365997c7e18a66752d5addbbd2c53eff1a9ff1bc83f7eb6 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\msointl.dll.idx_dll | 51.82 KB |
MD5:
c08256ba876262809f3fe1fcc583d069
SHA1: 198e1495c5a6ab7a7e935bde35029b34e813f3d4 SHA256: 84d57e8229377a7d8564767b5a288a3192f63c67fa6f5e1423fcd6c6b5c4cb2f |
|
|
| c:\program files\common files\microsoft shared\office15\1033\msointl.rest.idx_dll | 1.42 MB |
MD5:
0025bc172206303fe3a5f4ba25ccebb8
SHA1: 27eee98511e2edbb75ee6a4b9658471d13335ffd SHA256: a4d5e4c35782ac8e62e56c10358f2681b5637ac5b2e31631eac6dee5a35a3f94 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\msointl.rest.idx_dll | 1.42 MB |
MD5:
3ea4252fab4c5db8789d25072c3ae5da
SHA1: 4747cb0ba11394894f1c469be496c7948b5d3a97 SHA256: 139172e558815fe78d405bb31fde49d82d927b78f91a7bcd0c606b82321393a8 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\mssoapr3.dll | 41.15 KB |
MD5:
cecc0e57e5af5293aa27cafa6eec027e
SHA1: dfc1204e28a7e82433d098f137b22339b5e88e34 SHA256: 7eef8f4b6ab046ea737c8d1408941b2107f72d24a14bde7b80ac6d7fd453d68d |
|
|
| c:\program files\common files\microsoft shared\office15\1033\mssoapr3.dll | 41.32 KB |
MD5:
a4844d8708a189a4292b02e61e5bf612
SHA1: 68c83a795f703075cdb8d1ee8c995ec58c1ebfba SHA256: 03f35706da7c33d3096628f62b74297df677d93df5ef1edcde9bdde1669d7058 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\oarpmanr.dll | 12.15 KB |
MD5:
ee41c758a8df468da218d32f2f56c217
SHA1: 5bd6328400632b9b839be57f5ffc4412c176b7f7 SHA256: dea82dc2519d94070dc93f6ce0f96268c3f63c200cd5ccad8d42e4ce33bb879e |
|
|
| c:\program files\common files\microsoft shared\office15\1033\oarpmanr.dll | 12.32 KB |
MD5:
b5518f87053cf19ba6018ceebe450df1
SHA1: 650b95b51ca374cfc2a74153c30d2b1bbccabd51 SHA256: 4af68262225d8c0d637ce2c0dd52dbf27f58efdba6734cb3758022a0d031b537 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\osfintl.dll | 130.63 KB |
MD5:
5a7da3333aae47c02c8fba040e3f679c
SHA1: de86dcd417ed56715d1575e54b44fa458d2a6000 SHA256: b0e628007646e79c0d74f3a41a60a9225e042de1edaef5fdc4c1eeb815b83b9f |
|
|
| c:\program files\common files\microsoft shared\office15\1033\osfintl.dll | 130.81 KB |
MD5:
c87b7565588cee387565a6c6ccf422a8
SHA1: 1bf44e86edf8ba912fd5a217a4ff814c3f8fe107 SHA256: 6e86e96a2347996cbfd82e10bff52c96c0ade00d22b04884914bbdc97bc7adb1 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\osmdp32.msi | 2.18 MB |
MD5:
0a2c408dd0ca739f2b3166541dca414e
SHA1: 7e1812d16e16c031f46b4f695993eb7da6512775 SHA256: 1f6bd6b0d9750b1b96933bb4476c3d929ca3022c94338ea327bfcd60b9b0e1e7 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\osmdp32.msi | 2.18 MB |
MD5:
3f0ad0ca2c91a4f1b5a2b9415b31c5ea
SHA1: 62ec23ca63aa2d44da770d752fc9b98c9c1446f9 SHA256: c709d3a80d9f054981f775496ca868e86cb361e946a8c6fd0beba9d5949de682 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\osmdp64.msi | 2.30 MB |
MD5:
8788bb1d89f5c3d1c2ed6fda6e0874a4
SHA1: 461eefdc0da413f929e2780427bc740f6072abcb SHA256: b4afa4deace1055af1cbf8a24e9a4f581c8213acf6485358f142af44fbc24b08 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\osmdp64.msi | 2.30 MB |
MD5:
3b09458882c91c06db45a8036a963bda
SHA1: 17d33df3defa238d2d6ba933c24c0c648274a32d SHA256: d1c4d43767cd10ddac2a4ce38db5ce08d28df5f7ca8f123fb7552ddde6d9b89c |
|
|
| c:\program files\common files\microsoft shared\office15\1033\osmia32.msi | 1.73 MB |
MD5:
a7bf2a5229e9e7566ac64fd38b60e656
SHA1: 83699c3739b1e7839e81bd123cb3d5234ea9d982 SHA256: 8b073d4ef01d2832d96fa80c8276b5ac6e52191437c9d1a797a4eff3877338b8 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\osmia32.msi | 1.73 MB |
MD5:
0f299c2a63890deeca9861ff427d1a91
SHA1: ce6d17cf73c38d4abc4dc11a9f75dea67d5eed21 SHA256: 0021b1fff8b2d5358656b6c22c935ce2294ae9f059594a0445feb03ee8517c29 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\osmia64.msi | 1.77 MB |
MD5:
e07096cb89f2d178a14c5e81e6d12cd9
SHA1: 77a40ed76c814cb34a1da43a9201eb1f39fa84c0 SHA256: ff83e0451a67589c7bacfa8e8d4e10507633962895ab4d5a155165f2c5d559a4 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\osmia64.msi | 1.77 MB |
MD5:
5f94fc6d7000ec07eab968cda69e9c43
SHA1: 3d30076587e78ce20e9a239e35a22db5a3338f5a SHA256: 7316284f92a7fb4dfefe57f0ce52c76fa2b24f9ad2b7b57a4e7d1c1f18c92e61 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\readme.htm | 0.42 KB |
MD5:
8f68496d0f99b37e71c7bc326b0b9cbe
SHA1: 8ae59f5baa99e842653ad9376f308ad60ec1f802 SHA256: 6d021f570226ea01dc30f59f2775cf9fc2332658a3f5cdb2773ffe767b6213fe |
|
|
| c:\program files\common files\microsoft shared\office15\1033\readme.htm | 0.59 KB |
MD5:
2c1a30b17e42db7703d4bf23ef0e7029
SHA1: fc8caa93324e7574d1deb61017689d7bc1ce8955 SHA256: 18e2826bf256d1072d4f933f20b96b2800d2ed359316c99276357e2f23100f01 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\xlsrvintl.dll | 256.13 KB |
MD5:
11d95746f2f93db9ae179d2a70bd0735
SHA1: 6ad0d37baa7ec6bced2ff29bbce6ded79e557cf3 SHA256: b3deddc19fbed73e423af31bfd83d814c26e9f18cc0908ef24c74bd78d1c5482 |
|
|
| c:\program files\common files\microsoft shared\office15\1033\xlsrvintl.dll | 256.31 KB |
MD5:
af238c549f1c5c8c9876e7a2a8c21063
SHA1: 6932821d642411327a3983ad17ed866d8202e7f5 SHA256: 223c21269e7f5b898bd61824b8460222de0ce89c70ffaac94aeb946cb214bd6f |
|
|
| c:\program files\common files\microsoft shared\office15\acecore.dll | 2.17 MB |
MD5:
d91ca55ab74783fc4409c6b6fa6b2a7e
SHA1: 421c02567863ed9d3b5aa372f900c65e54e36da3 SHA256: d9f24cc34d30c077c1faa27dce0be711d58ebc67a524136a53e623a9d2d45cee |
|
|
| c:\program files\common files\microsoft shared\office15\acecore.dll | 2.17 MB |
MD5:
c38c8e56896e4b6f62ba80600da2b576
SHA1: 70bc45e9f8c74b0dab7bed3c6480b7803c33833b SHA256: 16a27ed87324a63e5f07bce00d5e1c65c77952a93ad956dacac865798c8a344f |
|
|
| c:\program files\common files\microsoft shared\office15\acedao.dll | 602.75 KB |
MD5:
007d0774541f6a407ab2ab423809a589
SHA1: 5e9ffb67ebeec13ef1b105fd72822ac6214e4f77 SHA256: c692d04a55a7e6b8867a6537ab503cb115fa006121c1bfb9b243bbef7f3a2a36 |
|
|
| c:\program files\common files\microsoft shared\office15\acedao.dll | 602.93 KB |
MD5:
b49efe9ba26919fdc25b2d725bf9ca5d
SHA1: 3753cbeacc00511bc63d961e0f711a2885acf12d SHA256: 316aee7c9032c96299e0de908ccada5dd238b85dfd6f98aaf386e051c962d0ad |
|
|
| c:\program files\common files\microsoft shared\office15\aceerr.dll | 39.71 KB |
MD5:
832df455a6e9126b8215ab7837212808
SHA1: 253aebdb6ce8e3bb19ce52ad5fef1a3c50f38f74 SHA256: 8e7c6603fdc9f5a7da643c99202a6568492ad840a8d833382f4887dbd038859a |
|
|
| c:\program files\common files\microsoft shared\office15\aceerr.dll | 39.89 KB |
MD5:
52faa02dc4f12dde07bcbb65b69b8dad
SHA1: 70d60aa3a92822afbca25fe3f351e20ac5b70379 SHA256: 81249bd83a227142303d2a7830d7518ed14f6a4635f49314c30374784968d736 |
|
|
| c:\program files\common files\microsoft shared\office15\acees.dll | 857.23 KB |
MD5:
f68ef9775a6957488c4654d22a067d67
SHA1: 56655e71291cc8710508eb3c59addaa49a07028d SHA256: 547242feec7968e975e82519f7e1ada389bd4fd79257f1767b3c289ae28c4efa |
|
|
| c:\program files\common files\microsoft shared\office15\acees.dll | 857.41 KB |
MD5:
5bbf849c53adb02a9b4a3d080a8b640f
SHA1: 9f6cc88a83abacd313ebeb3822fec21f46cc4a06 SHA256: f1e61402c69c706852a9d7628260cc3fc5ed5e570e1cb68a8c70abd8fce7c20a |
|
|
| c:\program files\common files\microsoft shared\office15\aceexch.dll | 242.23 KB |
MD5:
695833a6e9dc213f149bc07ebe131151
SHA1: 7f1f65d609c224fe5be7b4b928f46852e7ee288b SHA256: 6df83d5a3e673b27aaf17135cbff03245f9d16e22101c95d0b7e4ba51931b901 |
|
|
| c:\program files\common files\microsoft shared\office15\aceexch.dll | 242.40 KB |
MD5:
468a7549fd149f275b10d752e0c82e70
SHA1: c0979060ffa7bdd5a3114c3324fd97328b2525b5 SHA256: 0822a586a050383037406804cd4f12acef429c04ac65526178d7e3ce7bab5557 |
|
|
| c:\program files\common files\microsoft shared\office15\aceexcl.dll | 520.22 KB |
MD5:
cc5126933bdd80ee02e7bbb86900a533
SHA1: 97c119a75e7f20ab0a9f0092d53d42ebf710ca43 SHA256: 6537b1484198d6606ecaf833068cb910d661e20b73cb13fa728ccb80795efe0b |
|
|
| c:\program files\common files\microsoft shared\office15\aceexcl.dll | 520.39 KB |
MD5:
4c7c5981f3c2a5957b45b1776220b4b1
SHA1: 0c2981582c44e8505b9ab0e5a3a5d6d64b466652 SHA256: 03bcc12d0d6ac68d9a5eb22cfdd89024a5db19104487c68191fcab14dcca395f |
|
|
| c:\program files\common files\microsoft shared\office15\aceodbc.dll | 329.74 KB |
MD5:
75e285a458724f1326823c9f7800d000
SHA1: 4df06f0fd7535504d93fb6f6f13aff11cac7daa4 SHA256: b98af348bef74e7cc24368d048e07b5d2b9b5dc210f484f863b728975ee60db7 |
|
|
| c:\program files\common files\microsoft shared\office15\aceodbc.dll | 329.92 KB |
MD5:
ff346c9665b7e9e82af69a53d8b1429c
SHA1: 8055bb69845508584254f90300b0813978a54823 SHA256: 416917c48d2e02048bde833bd94534d068f07ca2140cfd418593894594efa40c |
|
|
| c:\program files\common files\microsoft shared\office15\aceodexl.dll | 16.15 KB |
MD5:
ba2cbabb58efb619b742d3594df82fe2
SHA1: 42f2e1488f9baf09bb89a781384981cb31a98d5a SHA256: 02db11ff0f418de37dc7dea84c7df132b98dded31f404570fd3e3d57ec6526da |
|
|
| c:\program files\common files\microsoft shared\office15\aceodexl.dll | 16.32 KB |
MD5:
1f484a44f88da05c7dcce378c509d184
SHA1: 51c76770f274a3e56c4d2901a064d30f3baa6246 SHA256: 17b9a7f50e3df33ea45ffb85e05cc6fc5dff1f69eaf9d7cf963b58c4def23d5e |
|
|
| c:\program files\common files\microsoft shared\office15\aceodtxt.dll | 16.15 KB |
MD5:
7c322691c216b019273505f78800511a
SHA1: f961a8c90f5c83329460ce5fb10f3d2c213dec4c SHA256: 26761549cb1e0a3947509ada9781578fabbc61bf83e5486f3ef333acb24ffb01 |
|
|
| c:\program files\common files\microsoft shared\office15\aceodtxt.dll | 16.32 KB |
MD5:
29a19ace4b25eee1bfd424e366d47dce
SHA1: 325fcdbe3b92055ab27d9f2f5930a48b44ea2035 SHA256: ef32bcac712cbccd06050f46febc2e1fe0a3b137979983651741c86837ea1499 |
|
|
| c:\program files\common files\microsoft shared\office15\aceoledb.dll | 434.23 KB |
MD5:
4dd6290e2b84dfbe08094f2cd143d201
SHA1: dfffbb59d84cafd02c68b330faa2b1ec995502d6 SHA256: 40eddbb515314a7776d97f2e407f74cf40991b0535af2459e7aad11ab4dccd93 |
|
|
| c:\program files\common files\microsoft shared\office15\aceoledb.dll | 434.40 KB |
MD5:
5f559f7baa58dc93bc354d3f58765a64
SHA1: 32bca4100aaded3f9ca0a00bc39f72fe64a8c018 SHA256: 46674b4a9c0959840c2cc0bcbda88f46c745863bdc0c08f15c1409f539e60310 |
|
|
| c:\program files\common files\microsoft shared\office15\acetxt.dll | 198.71 KB |
MD5:
ab643cc9cfcd2f2da49e6d9e2b075a7c
SHA1: f41fed3ad8a6ed248e36f447954d56aa0553534b SHA256: b9e48ff742d7b50cd760a11a7746562af25a742ef1acb43ef4ac7818593431c4 |
|
|
| c:\program files\common files\microsoft shared\office15\acetxt.dll | 198.89 KB |
MD5:
a87956a3fae7d10956b7a6f122cfd807
SHA1: a78393563b3626e5247557be3935583320e9d8e2 SHA256: 3bdee139de0d75411cb7cf8e5943384ad903e7a8295481720f15769195f8c715 |
|
|
| c:\program files\common files\microsoft shared\office15\acewdat.dll | 2.91 MB |
MD5:
647805170c08d2494f35f1437c998f6e
SHA1: 533abafbb1fb6ea0d287937f2d59e6e586260adc SHA256: f0a6819c08a07b7b5b138f92203e201023351a7826e49e8b5990fe364f4a467f |
|
|
| c:\program files\common files\microsoft shared\office15\acewdat.dll | 2.91 MB |
MD5:
f7e483ce003ef580ee6f7572ee09c914
SHA1: 1fdfb454abfd257e0d0a087d43799f9d667e2ea0 SHA256: 05eb82fdffd6c6ef627b2bdb557cfbba768f6280d79cb65d9f7ec1f4edc23cf8 |
|
|
| c:\program files\common files\microsoft shared\office15\acewss.dll | 306.73 KB |
MD5:
b9295ce35a64cb40dade608be9ffe6c6
SHA1: 735ee1342a8db6797d461aefb11815513a7bc84b SHA256: ebe5ca3172453f3793bbf4dd9a4626f08b1c00384b287b6bb0065b19fca449a5 |
|
|
| c:\program files\common files\microsoft shared\office15\acewss.dll | 306.90 KB |
MD5:
7197d73393763191cde8ab7fa429821d
SHA1: 45c7e7c2c69c75f541c67bc90f55aec0035786ff SHA256: cf74f95a22ff86b23f589a6229c94b59685bfbd2b62c1eaab2cc691f2e0b3f71 |
|
|
| c:\program files\common files\microsoft shared\office15\adal.dll | 852.66 KB |
MD5:
212886087460329da2309d9a331d9c6c
SHA1: 48fa1dcf769a7dc8d0e8fbbc0ffe7e9c20315f53 SHA256: f74bda64e3e6709c67dae82968b75a59c1c20d6c5727d70f8aae6f8a9215d79a |
|
|
| c:\program files\common files\microsoft shared\office15\adal.dll | 852.84 KB |
MD5:
e71420c3b7525406739bcf2b4acf5da1
SHA1: 27c0469956357ac7d4e8d0bf7441dfa281d7a379 SHA256: 759e788d30f00e4ab556b864b337813811eaa0619bd074e81a8d94b658f41aa4 |
|
|
| c:\program files\common files\microsoft shared\office15\cmigrate.exe | 6.78 MB |
MD5:
86abd59e7c4cf6bfa97651417625dc1d
SHA1: 615b8469602b5353538f0c3dfeb7e36c415fe634 SHA256: e92c7a19b85d4515c9b0257cd7d45eca2ee10449ad01cae25831fb46c4828d86 |
|
|
| c:\program files\common files\microsoft shared\office15\cmigrate.exe | 6.78 MB |
MD5:
9f725b0706fda1c639d4026b5bde2aa0
SHA1: 0cd8377d8a3d74a0a47111938f180aab4731fbc1 SHA256: e1299636ddaf703af48d75620110a84467a024e97886f034e82eabfcf45070e5 |
|
|
| c:\program files\common files\microsoft shared\office15\csi.dll | 5.30 MB |
MD5:
0b148a75bbcef7dfd2e0dbf1d36c6c69
SHA1: a34e172145ec418af791a16bb9e589edb84cebe0 SHA256: 5f0b6860a34a25f30e93d4cbd6dcaa601bd6edd89347886627016c10d5f849a2 |
|
|
Host Behavior
File (665)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Boot\BCD | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\BCD.LOG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\BCD.LOG1 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\BCD.LOG1 | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Boot\BCD.LOG2 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\BCD.LOG2 | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Boot\bg-BG\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\BOOTSTAT.DAT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\BOOTSTAT.DAT | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Boot\cs-CZ\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\cs-CZ\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\da-DK\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\da-DK\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\de-DE\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\de-DE\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\el-GR\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\el-GR\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\en-GB\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\en-US\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\en-US\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\es-ES\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\es-ES\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\et-EE\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\fi-FI\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\fi-FI\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\chs_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\cht_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\jpn_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\kor_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\malgunn_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\malgun_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\meiryon_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\meiryo_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\msjhn_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\msjh_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\msyhn_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\msyh_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\segmono_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\segoen_slboot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\segoe_slboot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\wgl4_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\fr-FR\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\fr-FR\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\hr-HR\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\hu-HU\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\hu-HU\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\it-IT\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\it-IT\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\ja-JP\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\ja-JP\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\ko-KR\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\ko-KR\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\lt-LT\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\lv-LV\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\memtest.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\nb-NO\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\nb-NO\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\nl-NL\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\nl-NL\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\pl-PL\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\pl-PL\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\pt-BR\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\pt-BR\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\pt-PT\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\pt-PT\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\qps-ploc\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\qps-ploc\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Resources\bootres.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Resources\en-US\bootres.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\ro-RO\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\ru-RU\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\ru-RU\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\sk-SK\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\sl-SI\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\sr-Latn-CS\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\sr-Latn-RS\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\sv-SE\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\sv-SE\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\tr-TR\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\tr-TR\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\uk-UA\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\zh-CN\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\zh-CN\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\zh-HK\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\zh-HK\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\zh-TW\bootmgr.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\zh-TW\memtest.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\bootmgr | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\BOOTNXT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\BOOTNXT | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\BOOTSECT.BAK | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\hiberfil.sys | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\pagefile.sys | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\DW\DBGHELP.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\DW\DBGHELP.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\DW\DWTRIG20.EXE | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\DW\DWTRIG20.EXE | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\EQUATION\1033\EEINTL.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\EQUATION\1033\EEINTL.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.CNT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.CNT | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\EQUATION\eqnedt32.exe.manifest | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\EQUATION\eqnedt32.exe.manifest | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.HLP | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.HLP | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\EQUATION\MTEXTRA.TTF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\EQUATION\MTEXTRA.TTF | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\EURO\MSOEURO.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\EURO\MSOEURO.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Filters\msgfilt.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Filters\msgfilt.dll | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Filters\odffilt.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Filters\odffilt.dll | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Filters\offfiltx.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Filters\offfiltx.dll | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Filters\VISFILT.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Filters\VISFILT.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\EPSIMP32.FLT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\EPSIMP32.FLT | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.EPS | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.EPS | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.GIF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.GIF | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.JPG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.JPG | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.PNG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.PNG | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.WPG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.WPG | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\PICTIM32.FLT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\PICTIM32.FLT | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\PNG32.FLT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\PNG32.FLT | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\WPGIMP32.FLT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\GRPHFLT\WPGIMP32.FLT | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Help\Hx.HxC | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Help\Hx.HxC | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Help\Hx.HxT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Help\Hx.HxT | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Help\hxds.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Help\hxds.dll | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Help\HxRuntime.HxS | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Help\HxRuntime.HxS | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Help\itircl55.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Help\itircl55.dll | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Help\Keywords.HxK | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Help\Keywords.HxK | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Help\msitss55.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Help\msitss55.dll | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Help\NamedUrls.HxK | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\Help\NamedUrls.HxK | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\Content.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-correct.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-delete.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-split.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\correct.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\delete.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\FlickLearningWizard.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\IPSEventLogMsg.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\IpsMigrationPlugin.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\join.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\split.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\TipBand.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\FlickAnimation.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\FlickLearningWizard.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\hwrenalm.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\hwruklm.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\hwruksh.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\hwrusalm.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\IPSEventLogMsg.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\journal.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\micaut.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\mip.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\mraut.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-CS\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\TipBand.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\zh-HK\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\MSClientDataMgr\MSCDM.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\MSClientDataMgr\MSCDM.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEINTL.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEINTL.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEODBCI.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEODBCI.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEWSTR.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEWSTR.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ADO210.CHM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ADO210.CHM | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ALRTINTL.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ALRTINTL.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.DLL.IDX_DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.DLL.IDX_DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.REST.IDX_DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.REST.IDX_DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSSOAPR3.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSSOAPR3.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\OARPMANR.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\OARPMANR.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\OSFINTL.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\OSFINTL.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmdp32.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmdp32.msi | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmdp64.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmdp64.msi | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmia32.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmia32.msi | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmia64.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmia64.msi | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\README.HTM | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\README.HTM | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\xlsrvintl.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\xlsrvintl.dll | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACECORE.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACECORE.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEDAO.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEDAO.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEERR.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEERR.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEES.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEES.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEEXCH.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEEXCH.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEEXCL.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEEXCL.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODBC.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODBC.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODEXL.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODEXL.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODTXT.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODTXT.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEOLEDB.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEOLEDB.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACETXT.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACETXT.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEWDAT.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEWDAT.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEWSS.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEWSS.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ADAL.DLL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\ADAL.DLL | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\CMigrate.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\CMigrate.exe | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\Csi.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\Csi.dll | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\CSISYNCCLIENT.EXE | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\CSISYNCCLIENT.EXE | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\Cultures\OFFICE.ODF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\as80.xsl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\as80.xsl | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\as90.xsl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\as90.xsl | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\db2v0801.xsl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\db2v0801.xsl | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\informix.xsl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\informix.xsl | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\msjet.xsl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\msjet.xsl | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\orcl7.xsl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\orcl7.xsl | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql2000.xsl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql2000.xsl | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql70.xsl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql70.xsl | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql90.xsl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql90.xsl | file_attributes = _O_RDONLY | _O_BINARY |
|
1 | |
| Create | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sqlpdw.xsl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | C:\Boot\BCD.LOG1 | type = size |
|
1 | |
| Get Info | C:\Boot\BCD.LOG2 | type = size |
|
1 | |
| Get Info | C:\Boot\BOOTSTAT.DAT | type = size |
|
1 | |
| Get Info | C:\BOOTNXT | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\DW\DBGHELP.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\DW\DWTRIG20.EXE | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\EQUATION\1033\EEINTL.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.CNT | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\EQUATION\eqnedt32.exe.manifest | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.HLP | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\EQUATION\MTEXTRA.TTF | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\EURO\MSOEURO.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\Filters\msgfilt.dll | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\Filters\odffilt.dll | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\Filters\offfiltx.dll | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\Filters\VISFILT.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\GRPHFLT\EPSIMP32.FLT | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.EPS | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.GIF | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.JPG | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.PNG | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.WPG | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\GRPHFLT\PICTIM32.FLT | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\GRPHFLT\PNG32.FLT | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\GRPHFLT\WPGIMP32.FLT | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\Help\Hx.HxC | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\Help\Hx.HxT | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\Help\hxds.dll | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\Help\HxRuntime.HxS | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\Help\itircl55.dll | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\Help\Keywords.HxK | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\Help\msitss55.dll | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\Help\NamedUrls.HxK | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\MSClientDataMgr\MSCDM.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEINTL.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEODBCI.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEWSTR.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ADO210.CHM | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ALRTINTL.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.DLL.IDX_DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.REST.IDX_DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSSOAPR3.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\OARPMANR.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\OSFINTL.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmdp32.msi | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmdp64.msi | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmia32.msi | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmia64.msi | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\README.HTM | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\xlsrvintl.dll | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACECORE.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEDAO.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEERR.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEES.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEEXCH.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEEXCL.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODBC.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODEXL.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODTXT.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEOLEDB.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACETXT.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEWDAT.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEWSS.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\ADAL.DLL | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\CMigrate.exe | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\Csi.dll | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\CSISYNCCLIENT.EXE | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\as80.xsl | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\as90.xsl | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\db2v0801.xsl | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\informix.xsl | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\msjet.xsl | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\orcl7.xsl | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql2000.xsl | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql70.xsl | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql90.xsl | type = size |
|
1 | |
| Get Info | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sqlpdw.xsl | type = size |
|
1 | |
| Copy | C:\Windows\svchost.exe | source_filename = C:\Windows\svchost.exe |
|
1 | |
| Move | C:\Boot\BCD.LOG1.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Boot\BCD.LOG1 |
|
1 | |
| Move | C:\Boot\BCD.LOG2.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Boot\BCD.LOG2 |
|
1 | |
| Move | C:\Boot\BOOTSTAT.DAT.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Boot\BOOTSTAT.DAT |
|
1 | |
| Move | C:\BOOTNXT.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\BOOTNXT |
|
1 | |
| Move | C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\DW\DBGHELP.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\DW\DBGHELP.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\DW\DWTRIG20.EXE.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\DW\DWTRIG20.EXE |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\EQUATION\1033\EEINTL.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\EQUATION\1033\EEINTL.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.CNT.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.CNT |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\EQUATION\eqnedt32.exe.manifest.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\EQUATION\eqnedt32.exe.manifest |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.HLP.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.HLP |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\EQUATION\MTEXTRA.TTF.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\EQUATION\MTEXTRA.TTF |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\EURO\MSOEURO.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\EURO\MSOEURO.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\Filters\msgfilt.dll.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\Filters\msgfilt.dll |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\Filters\odffilt.dll.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\Filters\odffilt.dll |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\Filters\offfiltx.dll.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\Filters\offfiltx.dll |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\Filters\VISFILT.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\Filters\VISFILT.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\GRPHFLT\EPSIMP32.FLT.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\EPSIMP32.FLT |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.EPS.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.EPS |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.GIF.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.GIF |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.JPG.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.JPG |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.PNG.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.PNG |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.WPG.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.WPG |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\GRPHFLT\PICTIM32.FLT.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\PICTIM32.FLT |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\GRPHFLT\PNG32.FLT.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\PNG32.FLT |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\GRPHFLT\WPGIMP32.FLT.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\WPGIMP32.FLT |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\Help\Hx.HxC.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\Help\Hx.HxC |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\Help\Hx.HxT.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\Help\Hx.HxT |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\Help\hxds.dll.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\Help\hxds.dll |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\Help\HxRuntime.HxS.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\Help\HxRuntime.HxS |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\Help\itircl55.dll.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\Help\itircl55.dll |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\Help\Keywords.HxK.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\Help\Keywords.HxK |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\Help\msitss55.dll.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\Help\msitss55.dll |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\Help\NamedUrls.HxK.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\Help\NamedUrls.HxK |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\MSClientDataMgr\MSCDM.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\MSClientDataMgr\MSCDM.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEINTL.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEINTL.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEODBCI.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEODBCI.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEWSTR.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEWSTR.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ADO210.CHM.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ADO210.CHM |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ALRTINTL.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ALRTINTL.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.DLL.IDX_DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.DLL.IDX_DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.REST.IDX_DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.REST.IDX_DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSSOAPR3.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSSOAPR3.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\OARPMANR.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\OARPMANR.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\OSFINTL.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\OSFINTL.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmdp32.msi.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmdp32.msi |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmdp64.msi.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmdp64.msi |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmia32.msi.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmia32.msi |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmia64.msi.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmia64.msi |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\README.HTM.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\README.HTM |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\xlsrvintl.dll.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\xlsrvintl.dll |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACECORE.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACECORE.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEDAO.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEDAO.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEERR.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEERR.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEES.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEES.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEEXCH.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEEXCH.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEEXCL.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEEXCL.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODBC.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODBC.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODEXL.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODEXL.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODTXT.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODTXT.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEOLEDB.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEOLEDB.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACETXT.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACETXT.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEWDAT.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEWDAT.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEWSS.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEWSS.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\ADAL.DLL.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ADAL.DLL |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\CMigrate.exe.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\CMigrate.exe |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\Csi.dll.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\Csi.dll |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\CSISYNCCLIENT.EXE.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\CSISYNCCLIENT.EXE |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\as80.xsl.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\as80.xsl |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\as90.xsl.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\as90.xsl |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\db2v0801.xsl.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\db2v0801.xsl |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\informix.xsl.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\informix.xsl |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\msjet.xsl.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\msjet.xsl |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\orcl7.xsl.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\orcl7.xsl |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql2000.xsl.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql2000.xsl |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql70.xsl.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql70.xsl |
|
1 | |
| Move | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql90.xsl.[Sepsis@protonmail.com].SEPSIS | source_filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql90.xsl |
|
1 | |
| Write | C:\Boot\BCD.LOG1 | size = 180 |
|
1 | |
| Write | C:\Boot\BCD.LOG2 | size = 180 |
|
1 | |
| Write | C:\Boot\BOOTSTAT.DAT | size = 180 |
|
1 | |
| Write | C:\BOOTNXT | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\DW\DBGHELP.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\DW\DWTRIG20.EXE | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\EQUATION\1033\EEINTL.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.CNT | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\EQUATION\eqnedt32.exe.manifest | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.HLP | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\EQUATION\MTEXTRA.TTF | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\EURO\MSOEURO.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\Filters\msgfilt.dll | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\Filters\odffilt.dll | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\Filters\offfiltx.dll | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\Filters\VISFILT.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\GRPHFLT\EPSIMP32.FLT | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.EPS | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.GIF | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.JPG | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.PNG | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.WPG | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\GRPHFLT\PICTIM32.FLT | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\GRPHFLT\PNG32.FLT | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\GRPHFLT\WPGIMP32.FLT | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\Help\Hx.HxC | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\Help\Hx.HxT | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\Help\hxds.dll | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\Help\HxRuntime.HxS | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\Help\itircl55.dll | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\Help\Keywords.HxK | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\Help\msitss55.dll | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\Help\NamedUrls.HxK | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\MSClientDataMgr\MSCDM.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEINTL.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEODBCI.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEWSTR.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ADO210.CHM | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ALRTINTL.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.DLL.IDX_DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.REST.IDX_DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSSOAPR3.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\OARPMANR.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\OSFINTL.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmdp32.msi | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmdp64.msi | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmia32.msi | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmia64.msi | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\README.HTM | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\xlsrvintl.dll | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACECORE.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEDAO.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEERR.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEES.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEEXCH.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEEXCL.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODBC.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODEXL.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODTXT.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEOLEDB.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACETXT.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEWDAT.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEWSS.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\ADAL.DLL | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\CMigrate.exe | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\Csi.dll | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\CSISYNCCLIENT.EXE | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\as80.xsl | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\as90.xsl | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\db2v0801.xsl | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\informix.xsl | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\msjet.xsl | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\orcl7.xsl | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql2000.xsl | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql70.xsl | size = 180 |
|
1 | |
| Write | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql90.xsl | size = 180 |
|
1 | |
| Delete | C:\Windows\svchost.exe | - |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | - |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | value_name = Shell, data = C:\Windows\explorer.exe, C:\Windows\svchost.exe, size = 520, type = REG_SZ |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | cmd.exe | show_window = SW_HIDE |
|
1 |
Module (169)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x770a0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\svchost.exe, file_name_orig = C:\Windows\svchost.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlSetProcessIsCritical, address_out = 0x7717644a |
|
1 | |
| Create Mapping | C:\Boot\BCD.LOG1 | filename = C:\Boot\BCD.LOG1, protection = PAGE_READWRITE, maximum_size = 0 |
|
1 | |
| Create Mapping | C:\Boot\BCD.LOG2 | filename = C:\Boot\BCD.LOG2, protection = PAGE_READWRITE, maximum_size = 0 |
|
1 | |
| Create Mapping | C:\Boot\BOOTSTAT.DAT | filename = C:\Boot\BOOTSTAT.DAT, protection = PAGE_READWRITE, maximum_size = 65536 |
|
1 | |
| Create Mapping | C:\BOOTNXT | filename = C:\BOOTNXT, protection = PAGE_READWRITE, maximum_size = 1 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB | filename = C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB, protection = PAGE_READWRITE, maximum_size = 15984 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\DW\DBGHELP.DLL | filename = C:\Program Files\Common Files\microsoft shared\DW\DBGHELP.DLL, protection = PAGE_READWRITE, maximum_size = 1369952 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE | filename = C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE, protection = PAGE_READWRITE, maximum_size = 997584 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\DW\DWTRIG20.EXE | filename = C:\Program Files\Common Files\microsoft shared\DW\DWTRIG20.EXE, protection = PAGE_READWRITE, maximum_size = 588008 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\EQUATION\1033\EEINTL.DLL | filename = C:\Program Files\Common Files\microsoft shared\EQUATION\1033\EEINTL.DLL, protection = PAGE_READWRITE, maximum_size = 64096 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.CNT | filename = C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.CNT, protection = PAGE_READWRITE, maximum_size = 2557 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | filename = C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE, protection = PAGE_READWRITE, maximum_size = 543304 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\EQUATION\eqnedt32.exe.manifest | filename = C:\Program Files\Common Files\microsoft shared\EQUATION\eqnedt32.exe.manifest, protection = PAGE_READWRITE, maximum_size = 566 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.HLP | filename = C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.HLP, protection = PAGE_READWRITE, maximum_size = 176311 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\EQUATION\MTEXTRA.TTF | filename = C:\Program Files\Common Files\microsoft shared\EQUATION\MTEXTRA.TTF, protection = PAGE_READWRITE, maximum_size = 7656 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\EURO\MSOEURO.DLL | filename = C:\Program Files\Common Files\microsoft shared\EURO\MSOEURO.DLL, protection = PAGE_READWRITE, maximum_size = 32368 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\Filters\msgfilt.dll | filename = C:\Program Files\Common Files\microsoft shared\Filters\msgfilt.dll, protection = PAGE_READWRITE, maximum_size = 40064 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\Filters\odffilt.dll | filename = C:\Program Files\Common Files\microsoft shared\Filters\odffilt.dll, protection = PAGE_READWRITE, maximum_size = 963232 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\Filters\offfiltx.dll | filename = C:\Program Files\Common Files\microsoft shared\Filters\offfiltx.dll, protection = PAGE_READWRITE, maximum_size = 1178264 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\Filters\VISFILT.DLL | filename = C:\Program Files\Common Files\microsoft shared\Filters\VISFILT.DLL, protection = PAGE_READWRITE, maximum_size = 1572864 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\GRPHFLT\EPSIMP32.FLT | filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\EPSIMP32.FLT, protection = PAGE_READWRITE, maximum_size = 650392 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT | filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT, protection = PAGE_READWRITE, maximum_size = 256136 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT | filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT, protection = PAGE_READWRITE, maximum_size = 233616 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.EPS | filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.EPS, protection = PAGE_READWRITE, maximum_size = 15067 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.GIF | filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.GIF, protection = PAGE_READWRITE, maximum_size = 1069 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.JPG | filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.JPG, protection = PAGE_READWRITE, maximum_size = 1061 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.PNG | filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.PNG, protection = PAGE_READWRITE, maximum_size = 1682 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.WPG | filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.WPG, protection = PAGE_READWRITE, maximum_size = 1382 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\GRPHFLT\PICTIM32.FLT | filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\PICTIM32.FLT, protection = PAGE_READWRITE, maximum_size = 76440 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\GRPHFLT\PNG32.FLT | filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\PNG32.FLT, protection = PAGE_READWRITE, maximum_size = 278176 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\GRPHFLT\WPGIMP32.FLT | filename = C:\Program Files\Common Files\microsoft shared\GRPHFLT\WPGIMP32.FLT, protection = PAGE_READWRITE, maximum_size = 269984 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\Help\Hx.HxC | filename = C:\Program Files\Common Files\microsoft shared\Help\Hx.HxC, protection = PAGE_READWRITE, maximum_size = 803 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\Help\Hx.HxT | filename = C:\Program Files\Common Files\microsoft shared\Help\Hx.HxT, protection = PAGE_READWRITE, maximum_size = 169 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\Help\hxds.dll | filename = C:\Program Files\Common Files\microsoft shared\Help\hxds.dll, protection = PAGE_READWRITE, maximum_size = 1235600 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\Help\HxRuntime.HxS | filename = C:\Program Files\Common Files\microsoft shared\Help\HxRuntime.HxS, protection = PAGE_READWRITE, maximum_size = 27880 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\Help\itircl55.dll | filename = C:\Program Files\Common Files\microsoft shared\Help\itircl55.dll, protection = PAGE_READWRITE, maximum_size = 1572864 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\Help\Keywords.HxK | filename = C:\Program Files\Common Files\microsoft shared\Help\Keywords.HxK, protection = PAGE_READWRITE, maximum_size = 133 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\Help\msitss55.dll | filename = C:\Program Files\Common Files\microsoft shared\Help\msitss55.dll, protection = PAGE_READWRITE, maximum_size = 444592 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\Help\NamedUrls.HxK | filename = C:\Program Files\Common Files\microsoft shared\Help\NamedUrls.HxK, protection = PAGE_READWRITE, maximum_size = 140 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\MSClientDataMgr\MSCDM.DLL | filename = C:\Program Files\Common Files\microsoft shared\MSClientDataMgr\MSCDM.DLL, protection = PAGE_READWRITE, maximum_size = 485552 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEINTL.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEINTL.DLL, protection = PAGE_READWRITE, maximum_size = 201416 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEODBCI.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEODBCI.DLL, protection = PAGE_READWRITE, maximum_size = 53440 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEWSTR.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEWSTR.DLL, protection = PAGE_READWRITE, maximum_size = 859312 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ADO210.CHM | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ADO210.CHM, protection = PAGE_READWRITE, maximum_size = 1572864 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ALRTINTL.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ALRTINTL.DLL, protection = PAGE_READWRITE, maximum_size = 154208 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.DLL, protection = PAGE_READWRITE, maximum_size = 1572864 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.DLL.IDX_DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.DLL.IDX_DLL, protection = PAGE_READWRITE, maximum_size = 52880 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.REST.IDX_DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.REST.IDX_DLL, protection = PAGE_READWRITE, maximum_size = 1484432 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSSOAPR3.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSSOAPR3.DLL, protection = PAGE_READWRITE, maximum_size = 42136 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\OARPMANR.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\OARPMANR.DLL, protection = PAGE_READWRITE, maximum_size = 12440 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\OSFINTL.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\OSFINTL.DLL, protection = PAGE_READWRITE, maximum_size = 133768 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmdp32.msi | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmdp32.msi, protection = PAGE_READWRITE, maximum_size = 1572864 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmdp64.msi | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmdp64.msi, protection = PAGE_READWRITE, maximum_size = 1572864 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmia32.msi | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmia32.msi, protection = PAGE_READWRITE, maximum_size = 1572864 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmia64.msi | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmia64.msi, protection = PAGE_READWRITE, maximum_size = 1572864 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\README.HTM | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\README.HTM, protection = PAGE_READWRITE, maximum_size = 427 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\xlsrvintl.dll | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\xlsrvintl.dll, protection = PAGE_READWRITE, maximum_size = 262280 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACECORE.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACECORE.DLL, protection = PAGE_READWRITE, maximum_size = 1572864 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEDAO.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEDAO.DLL, protection = PAGE_READWRITE, maximum_size = 617216 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEERR.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEERR.DLL, protection = PAGE_READWRITE, maximum_size = 40664 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEES.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEES.DLL, protection = PAGE_READWRITE, maximum_size = 877808 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEEXCH.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEEXCH.DLL, protection = PAGE_READWRITE, maximum_size = 248040 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEEXCL.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEEXCL.DLL, protection = PAGE_READWRITE, maximum_size = 532704 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODBC.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODBC.DLL, protection = PAGE_READWRITE, maximum_size = 337656 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODEXL.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODEXL.DLL, protection = PAGE_READWRITE, maximum_size = 16536 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODTXT.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODTXT.DLL, protection = PAGE_READWRITE, maximum_size = 16536 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEOLEDB.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEOLEDB.DLL, protection = PAGE_READWRITE, maximum_size = 444648 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACETXT.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACETXT.DLL, protection = PAGE_READWRITE, maximum_size = 203480 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEWDAT.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEWDAT.DLL, protection = PAGE_READWRITE, maximum_size = 1572864 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEWSS.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEWSS.DLL, protection = PAGE_READWRITE, maximum_size = 314088 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\ADAL.DLL | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\ADAL.DLL, protection = PAGE_READWRITE, maximum_size = 873128 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\CMigrate.exe | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\CMigrate.exe, protection = PAGE_READWRITE, maximum_size = 1572864 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\Csi.dll | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\Csi.dll, protection = PAGE_READWRITE, maximum_size = 1572864 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\CSISYNCCLIENT.EXE | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\CSISYNCCLIENT.EXE, protection = PAGE_READWRITE, maximum_size = 107760 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\as80.xsl | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\as80.xsl, protection = PAGE_READWRITE, maximum_size = 17380 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\as90.xsl | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\as90.xsl, protection = PAGE_READWRITE, maximum_size = 18874 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\db2v0801.xsl | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\db2v0801.xsl, protection = PAGE_READWRITE, maximum_size = 30084 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\informix.xsl | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\informix.xsl, protection = PAGE_READWRITE, maximum_size = 31527 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\msjet.xsl | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\msjet.xsl, protection = PAGE_READWRITE, maximum_size = 29497 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\orcl7.xsl | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\orcl7.xsl, protection = PAGE_READWRITE, maximum_size = 35333 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql2000.xsl | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql2000.xsl, protection = PAGE_READWRITE, maximum_size = 34188 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql70.xsl | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql70.xsl, protection = PAGE_READWRITE, maximum_size = 32258 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql90.xsl | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql90.xsl, protection = PAGE_READWRITE, maximum_size = 93163 |
|
1 | |
| Create Mapping | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sqlpdw.xsl | filename = C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sqlpdw.xsl, protection = PAGE_READWRITE, maximum_size = 73772 |
|
1 | |
| Map | C:\Boot\BCD.LOG1 | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Boot\BCD.LOG2 | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Boot\BOOTSTAT.DAT | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\BOOTNXT | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\DW\DBGHELP.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\DW\DW20.EXE | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\DW\DWTRIG20.EXE | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\EQUATION\1033\EEINTL.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.CNT | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\EQUATION\eqnedt32.exe.manifest | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.HLP | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\EQUATION\MTEXTRA.TTF | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\EURO\MSOEURO.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\Filters\msgfilt.dll | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\Filters\odffilt.dll | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\Filters\offfiltx.dll | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\Filters\VISFILT.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\GRPHFLT\EPSIMP32.FLT | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.EPS | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.GIF | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.JPG | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.PNG | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\GRPHFLT\MS.WPG | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\GRPHFLT\PICTIM32.FLT | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\GRPHFLT\PNG32.FLT | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\GRPHFLT\WPGIMP32.FLT | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\Help\Hx.HxC | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\Help\Hx.HxT | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\Help\hxds.dll | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\Help\HxRuntime.HxS | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\Help\itircl55.dll | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\Help\Keywords.HxK | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\Help\msitss55.dll | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\Help\NamedUrls.HxK | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\MSClientDataMgr\MSCDM.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEINTL.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEODBCI.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ACEWSTR.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ADO210.CHM | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\ALRTINTL.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.DLL.IDX_DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.REST.IDX_DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSSOAPR3.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\OARPMANR.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\OSFINTL.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmdp32.msi | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmdp64.msi | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmia32.msi | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\osmia64.msi | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\README.HTM | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\1033\xlsrvintl.dll | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACECORE.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEDAO.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEERR.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEES.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEEXCH.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEEXCL.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODBC.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODEXL.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEODTXT.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEOLEDB.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACETXT.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEWDAT.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\ACEWSS.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\ADAL.DLL | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\CMigrate.exe | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\Csi.dll | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\CSISYNCCLIENT.EXE | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\as80.xsl | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\as90.xsl | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\db2v0801.xsl | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\informix.xsl | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\msjet.xsl | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\orcl7.xsl | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql2000.xsl | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql70.xsl | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sql90.xsl | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| Map | C:\Program Files\Common Files\microsoft shared\OFFICE15\DataModel\Cartridges\sqlpdw.xsl | process_name = c:\windows\svchost.exe, desired_access = FILE_MAP_WRITE |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = -1 (infinite) |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
2 |
Mutex (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = 䩈㹇䨼䙫套杉極桯瑧㤸㜵朳橵畨㝹常⠪⠦♞ |
|
1 | |
| Open | mutex_name = 䩈㹇䨼䙫套杉極桯瑧㤸㜵朳橵畨㝹常⠪⠦♞, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = 䩈㹇䨼䙫套杉極桯瑧㤸㜵朳橵畨㝹常⠪⠦♞ |
|
1 |
Process #3: cmd.exe
76
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:46, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:47 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaf0 |
| Parent PID | 0xac4 (c:\windows\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007f4d5000 | 0x7f4d5000 | 0x7f4d5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000b76a280000 | 0xb76a280000 | 0xb76a29ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000b76a280000 | 0xb76a280000 | 0xb76a28ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000b76a290000 | 0xb76a290000 | 0xb76a296fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000b76a2a0000 | 0xb76a2a0000 | 0xb76a2aefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000b76a2b0000 | 0xb76a2b0000 | 0xb76a3affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000b76a3b0000 | 0xb76a3b0000 | 0xb76a3b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000b76a3c0000 | 0xb76a3c0000 | 0xb76a3c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000b76a3d0000 | 0xb76a3d0000 | 0xb76a3d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xb76a3e0000 | 0xb76a45dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000b76a580000 | 0xb76a580000 | 0xb76a58ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000b76a5c0000 | 0xb76a5c0000 | 0xb76a6bffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0xb76a6c0000 | 0xb76a994fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00007ff639410000 | 0x7ff639410000 | 0x7ff63950ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff639510000 | 0x7ff639510000 | 0x7ff639532fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff639533000 | 0x7ff639533000 | 0x7ff639533fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff63953e000 | 0x7ff63953e000 | 0x7ff63953ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x7ff639dc0000 | 0x7ff639e1afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (13)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Get Info | vssadmin.exe | type = file_attributes |
|
1 | |
| Get Info | bcdedit.exe | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\vssadmin.exe | os_pid = 0xad8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\bcdedit.exe | os_pid = 0x8dc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\bcdedit.exe | os_pid = 0x8d8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x7ff639dc0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ffb1b140000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7ffb1b149180 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x7ffb1b14493c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7ffb1b142d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7ffb1adf0750 |
|
1 |
Environment (35)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
13 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
4 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
4 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
3 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 |
Process #5: vssadmin.exe
0
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\vssadmin.exe |
| Command Line | vssadmin.exe delete shadows /all /quiet |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:43 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xad8 |
| Parent PID | 0xaf0 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B18
0x
BE0
0x
BE4
0x
BE8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x00000012970a0000 | 0x12970a0000 | 0x12970bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000012970a0000 | 0x12970a0000 | 0x12970affff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000012970b0000 | 0x12970b0000 | 0x12970b6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000012970c0000 | 0x12970c0000 | 0x12970cefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000012970d0000 | 0x12970d0000 | 0x129714ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000001297150000 | 0x1297150000 | 0x1297153fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000001297160000 | 0x1297160000 | 0x1297160fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000001297170000 | 0x1297170000 | 0x1297171fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x1297180000 | 0x12971fdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000001297200000 | 0x1297200000 | 0x1297206fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000001297210000 | 0x1297210000 | 0x1297212fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000001297220000 | 0x1297220000 | 0x1297220fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| vssadmin.exe.mui | 0x1297230000 | 0x129723cfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000001297240000 | 0x1297240000 | 0x129724ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000001297250000 | 0x1297250000 | 0x1297250fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000001297260000 | 0x1297260000 | 0x1297260fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000001297270000 | 0x1297270000 | 0x1297270fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000001297280000 | 0x1297280000 | 0x1297280fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000001297290000 | 0x1297290000 | 0x129730ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000001297330000 | 0x1297330000 | 0x129742ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000001297430000 | 0x1297430000 | 0x12975b7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000012975c0000 | 0x12975c0000 | 0x1297740fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000001297750000 | 0x1297750000 | 0x1298b4ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x1298b50000 | 0x1298e24fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000001298e30000 | 0x1298e30000 | 0x1298eaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000001298eb0000 | 0x1298eb0000 | 0x1298f2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff673ea0000 | 0x7ff673ea0000 | 0x7ff673f9ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff673fa0000 | 0x7ff673fa0000 | 0x7ff673fc2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff673fc7000 | 0x7ff673fc7000 | 0x7ff673fc8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff673fc9000 | 0x7ff673fc9000 | 0x7ff673fcafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff673fcb000 | 0x7ff673fcb000 | 0x7ff673fccfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff673fcd000 | 0x7ff673fcd000 | 0x7ff673fcdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff673fce000 | 0x7ff673fce000 | 0x7ff673fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| vssadmin.exe | 0x7ff6741b0000 | 0x7ff6741d8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| vsstrace.dll | 0x7ffb130f0000 | 0x7ffb13105fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| vssapi.dll | 0x7ffb13110000 | 0x7ffb1328ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| vss_ps.dll | 0x7ffb14230000 | 0x7ffb14244fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcd.dll | 0x7ffb16730000 | 0x7ffb16749fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| atl.dll | 0x7ffb17100000 | 0x7ffb1711afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x7ffb171a0000 | 0x7ffb171a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffb19920000 | 0x7ffb19929fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffb19f50000 | 0x7ffb19f84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffb1a310000 | 0x7ffb1a32dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffb1a540000 | 0x7ffb1a565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffb1a860000 | 0x7ffb1a8bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffb1a9c0000 | 0x7ffb1a9c9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffb1b010000 | 0x7ffb1b067fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffb1b070000 | 0x7ffb1b126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffb1b280000 | 0x7ffb1b288fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffb1b290000 | 0x7ffb1b407fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffb1b410000 | 0x7ffb1b580fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ffb1b590000 | 0x7ffb1b6c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffb1b870000 | 0x7ffb1ba45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffb1ba50000 | 0x7ffb1baa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffb1cef0000 | 0x7ffb1cf94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7ffb1cfa0000 | 0x7ffb1d043fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ffb1d230000 | 0x7ffb1d280fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ffb1d2f0000 | 0x7ffb1d323fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffb1d450000 | 0x7ffb1d594fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffb1d5a0000 | 0x7ffb1d6d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #8: bcdedit.exe
0
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\system32\bcdedit.exe |
| Command Line | bcdedit.exe /set {default} recoveryenabled no |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:26 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8dc |
| Parent PID | 0xaf0 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
940
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000e73a6a0000 | 0xe73a6a0000 | 0xe73a6bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e73a6a0000 | 0xe73a6a0000 | 0xe73a6affff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e73a6c0000 | 0xe73a6c0000 | 0xe73a6cefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e73a6d0000 | 0xe73a6d0000 | 0xe73a74ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e73a750000 | 0xe73a750000 | 0xe73a753fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e73a760000 | 0xe73a760000 | 0xe73a760fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e73a770000 | 0xe73a770000 | 0xe73a771fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xe73a780000 | 0xe73a7fdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e73a960000 | 0xe73a960000 | 0xe73aa5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff61c650000 | 0x7ff61c650000 | 0x7ff61c74ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff61c750000 | 0x7ff61c750000 | 0x7ff61c772fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff61c77d000 | 0x7ff61c77d000 | 0x7ff61c77efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff61c77f000 | 0x7ff61c77f000 | 0x7ff61c77ffff | Private Memory | Readable, Writable |
|
|
|
- |
| bcdedit.exe | 0x7ff61ca60000 | 0x7ff61cab7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffb1af60000 | 0x7ffb1b006fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffb1ba50000 | 0x7ffb1baa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffb1cef0000 | 0x7ffb1cf94fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffb1d5a0000 | 0x7ffb1d6d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #9: bcdedit.exe
0
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\system32\bcdedit.exe |
| Command Line | bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:09, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:24 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8d8 |
| Parent PID | 0xaf0 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8A8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000004aeb070000 | 0x4aeb070000 | 0x4aeb08ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004aeb090000 | 0x4aeb090000 | 0x4aeb09efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000004aeb0a0000 | 0x4aeb0a0000 | 0x4aeb11ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004aeb120000 | 0x4aeb120000 | 0x4aeb123fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000004aeb130000 | 0x4aeb130000 | 0x4aeb130fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000004aeb140000 | 0x4aeb140000 | 0x4aeb141fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004aeb1c0000 | 0x4aeb1c0000 | 0x4aeb2bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff61bb40000 | 0x7ff61bb40000 | 0x7ff61bb62fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff61bb66000 | 0x7ff61bb66000 | 0x7ff61bb66fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff61bb6e000 | 0x7ff61bb6e000 | 0x7ff61bb6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| bcdedit.exe | 0x7ff61ca60000 | 0x7ff61cab7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffb1ada0000 | 0x7ffb1aeaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffb1b140000 | 0x7ffb1b279fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #10: System
0
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | System |
| Command Line | - |
| Initial Working Directory | - |
| Monitor | Start Time: 00:01:22, Reason: Kernel Analysis |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:11 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
8
0x
18
0x
14
0x
1C
0x
4C
0x
24
0x
28
0x
2C
0x
30
0x
48
0x
90
0x
94
0x
98
0x
A0
0x
9C
0x
78
0x
38
0x
CC
0x
D8
0x
A4
0x
E4
0x
A8
0x
100
0x
104
0x
10C
0x
114
0x
110
0x
108
0x
AC
0x
34
0x
138
0x
13C
0x
140
0x
144
0x
148
0x
7C
0x
14C
0x
150
0x
154
0x
20
0x
3C
0x
1A4
0x
10
0x
124
0x
68
0x
6C
0x
58
0x
280
0x
2A4
0x
64
0x
C8
0x
140
0x
144
0x
278
0x
3B0
0x
320
0x
414
0x
424
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x0000004b8df30000 | 0x4b8df30000 | 0x4b8df52fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
Process #11: smss.exe
0
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\system32\smss.exe |
| Command Line | \SystemRoot\System32\smss.exe |
| Initial Working Directory | C:\Windows |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:08 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe8 |
| Parent PID | 0x4 (System) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
EC
0x
F4
0x
1CC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000006b34640000 | 0x6b34640000 | 0x6b3465ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000006b34660000 | 0x6b34660000 | 0x6b3466efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000006b34670000 | 0x6b34670000 | 0x6b346effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff64e7a0000 | 0x7ff64e7a0000 | 0x7ff64e7c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff64e7c4000 | 0x7ff64e7c4000 | 0x7ff64e7c4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64e7ce000 | 0x7ff64e7ce000 | 0x7ff64e7cffff | Private Memory | Readable, Writable |
|
|
|
- |
| smss.exe | 0x7ff64f320000 | 0x7ff64f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #12: autochk.exe
0
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\system32\autochk.exe |
| Command Line | \??\C:\Windows\system32\autochk.exe * |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:08 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf8 |
| Parent PID | 0xe8 (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
FC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000753cbe0000 | 0x753cbe0000 | 0x753cbfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000753cc00000 | 0x753cc00000 | 0x753cc0efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000753cc10000 | 0x753cc10000 | 0x753cc8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000753cd00000 | 0x753cd00000 | 0x753cdfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff7862c0000 | 0x7ff7862c0000 | 0x7ff7862e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff7862e3000 | 0x7ff7862e3000 | 0x7ff7862e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7862ee000 | 0x7ff7862ee000 | 0x7ff7862effff | Private Memory | Readable, Writable |
|
|
|
- |
| autochk.exe | 0x7ff7869c0000 | 0x7ff786a9dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #13: smss.exe
0
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\system32\smss.exe |
| Command Line | \SystemRoot\System32\smss.exe 00000000 00000050 |
| Initial Working Directory | C:\Windows\ |
| Monitor | Start Time: 00:01:32, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:01 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x128 |
| Parent PID | 0xe8 (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
12C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000003e10970000 | 0x3e10970000 | 0x3e1098ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003e10990000 | 0x3e10990000 | 0x3e1099efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000003e109a0000 | 0x3e109a0000 | 0x3e10a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff64e9b0000 | 0x7ff64e9b0000 | 0x7ff64e9d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff64e9db000 | 0x7ff64e9db000 | 0x7ff64e9dbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64e9de000 | 0x7ff64e9de000 | 0x7ff64e9dffff | Private Memory | Readable, Writable |
|
|
|
- |
| smss.exe | 0x7ff64f320000 | 0x7ff64f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #14: csrss.exe
0
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\system32\csrss.exe |
| Command Line | %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:33, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:00 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x130 |
| Parent PID | 0x128 (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
134
0x
158
0x
15C
0x
160
0x
164
0x
19C
0x
1B8
0x
1C0
0x
2B0
0x
38C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000dc92bc0000 | 0xdc92bc0000 | 0xdc92bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000dc92bc0000 | 0xdc92bc0000 | 0xdc92bc6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000dc92bd0000 | 0xdc92bd0000 | 0xdc92bd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000dc92be0000 | 0xdc92be0000 | 0xdc92beefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000dc92bf0000 | 0xdc92bf0000 | 0xdc92c2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000dc92bf0000 | 0xdc92bf0000 | 0xdc92bfffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| marlett.ttf | 0xdc92c00000 | 0xdc92c06fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000dc92c10000 | 0xdc92c10000 | 0xdc92c27fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000dc92c30000 | 0xdc92c30000 | 0xdc92c30fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000dc92c40000 | 0xdc92c40000 | 0xdc92d3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xdc92d40000 | 0xdc92dbdfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000dc92dc0000 | 0xdc92dc0000 | 0xdc92f40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000dc92f50000 | 0xdc92f50000 | 0xdc9334bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000dc93350000 | 0xdc93350000 | 0xdc93350fff | Private Memory | Readable, Writable |
|
|
|
- |
| vgasys.fon | 0xdc93360000 | 0xdc93361fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000dc93370000 | 0xdc93370000 | 0xdc933affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000dc933b0000 | 0xdc933b0000 | 0xdc933effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000dc933f0000 | 0xdc933f0000 | 0xdc9342ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000dc93430000 | 0xdc93430000 | 0xdc9346ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000dc93470000 | 0xdc93470000 | 0xdc935f7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000dc93600000 | 0xdc93600000 | 0xdc93600fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000dc93610000 | 0xdc93610000 | 0xdc9364ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000dc93650000 | 0xdc93650000 | 0xdc9368ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000dc93690000 | 0xdc93690000 | 0xdc936cffff | Private Memory | Readable, Writable |
|
|
|
- |
| segoeui.ttf | 0xdc936d0000 | 0xdc9379dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000dc937a0000 | 0xdc937a0000 | 0xdc937cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000dc937d0000 | 0xdc937d0000 | 0xdc94bcffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000dc94bd0000 | 0xdc94bd0000 | 0xdc94bd0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000dc94be0000 | 0xdc94be0000 | 0xdc94be0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000dc94bf0000 | 0xdc94bf0000 | 0xdc94bf3fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000dc94bf0000 | 0xdc94bf0000 | 0xdc94bf0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000dc94bf0000 | 0xdc94bf0000 | 0xdc94bfffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000dc94c00000 | 0xdc94c00000 | 0xdc94c00fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000dc94c00000 | 0xdc94c00000 | 0xdc94c0ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000dc94c10000 | 0xdc94c10000 | 0xdc94c10fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000dc94c10000 | 0xdc94c10000 | 0xdc94c1ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000dc94c20000 | 0xdc94c20000 | 0xdc94c2ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000dc94c30000 | 0xdc94c30000 | 0xdc94c30fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000dc94c30000 | 0xdc94c30000 | 0xdc94c3ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000dc94c40000 | 0xdc94c40000 | 0xdc94c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000dc94c80000 | 0xdc94c80000 | 0xdc94d3ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000dc94d40000 | 0xdc94d40000 | 0xdc94d4ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000dc94d50000 | 0xdc94d50000 | 0xdc94e0ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000dc94e10000 | 0xdc94e10000 | 0xdc94e1ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000dc94e20000 | 0xdc94e20000 | 0xdc94e2ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000dc94e30000 | 0xdc94e30000 | 0xdc94e6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000dc94e70000 | 0xdc94e70000 | 0xdc94e7ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000dc94e80000 | 0xdc94e80000 | 0xdc94f3ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000dc94f40000 | 0xdc94f40000 | 0xdc94f40fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000dc94f40000 | 0xdc94f40000 | 0xdc94f4ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000dc94f50000 | 0xdc94f50000 | 0xdc94f50fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6acbaa000 | 0x7ff6acbaa000 | 0x7ff6acbabfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6acbac000 | 0x7ff6acbac000 | 0x7ff6acbadfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6acbae000 | 0x7ff6acbae000 | 0x7ff6acbaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff6acbb0000 | 0x7ff6acbb0000 | 0x7ff6accaffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff6accb0000 | 0x7ff6accb0000 | 0x7ff6accd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff6accd3000 | 0x7ff6accd3000 | 0x7ff6accd4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6accd5000 | 0x7ff6accd5000 | 0x7ff6accd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6accd7000 | 0x7ff6accd7000 | 0x7ff6accd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6accd9000 | 0x7ff6accd9000 | 0x7ff6accdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6accdb000 | 0x7ff6accdb000 | 0x7ff6accdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6accdd000 | 0x7ff6accdd000 | 0x7ff6accddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6accde000 | 0x7ff6accde000 | 0x7ff6accdffff | Private Memory | Readable, Writable |
|
|
|
- |
| csrss.exe | 0x7ff6ad990000 | 0x7ff6ad996fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff9fc680000 | 0x7ff9fc6dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ff9fc6e0000 | 0x7ff9fc6e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sxs.dll | 0x7ff9fc6f0000 | 0x7ff9fc786fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sxssrv.dll | 0x7ff9fc890000 | 0x7ff9fc89cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsrv.dll | 0x7ff9fc8a0000 | 0x7ff9fc8d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| basesrv.dll | 0x7ff9fc8e0000 | 0x7ff9fc8f2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| csrsrv.dll | 0x7ff9fc900000 | 0x7ff9fc915fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ff9fc940000 | 0x7ff9fca4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ff9fcd80000 | 0x7ff9fceb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ff9fd6d0000 | 0x7ff9fd805fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ff9fdb80000 | 0x7ff9fdcc4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ff9fde70000 | 0x7ff9fdfe0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #15: smss.exe
0
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\system32\smss.exe |
| Command Line | \SystemRoot\System32\smss.exe 00000001 00000050 |
| Initial Working Directory | C:\Windows\ |
| Monitor | Start Time: 00:01:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:58 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x168 |
| Parent PID | 0xe8 (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
16C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000efca0e0000 | 0xefca0e0000 | 0xefca0fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000efca100000 | 0xefca100000 | 0xefca10efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000efca110000 | 0xefca110000 | 0xefca18ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff64ebc0000 | 0x7ff64ebc0000 | 0x7ff64ebe2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff64ebea000 | 0x7ff64ebea000 | 0x7ff64ebeafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64ebee000 | 0x7ff64ebee000 | 0x7ff64ebeffff | Private Memory | Readable, Writable |
|
|
|
- |
| smss.exe | 0x7ff64f320000 | 0x7ff64f344fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #16: csrss.exe
0
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\system32\csrss.exe |
| Command Line | %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:58 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x170 |
| Parent PID | 0x168 (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
174
0x
180
0x
184
0x
188
0x
18C
0x
190
0x
1AC
0x
1BC
0x
1C4
0x
26C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000458deb0000 | 0x458deb0000 | 0x458decffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000458deb0000 | 0x458deb0000 | 0x458deb6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000458dec0000 | 0x458dec0000 | 0x458dec2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000458ded0000 | 0x458ded0000 | 0x458dedefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000458dee0000 | 0x458dee0000 | 0x458df1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000458dee0000 | 0x458dee0000 | 0x458deeffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| marlett.ttf | 0x458def0000 | 0x458def6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000458df00000 | 0x458df00000 | 0x458df17fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x458df20000 | 0x458df9dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000458dfa0000 | 0x458dfa0000 | 0x458e09ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000458e0a0000 | 0x458e0a0000 | 0x458e220fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000458e230000 | 0x458e230000 | 0x458e230fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000458e240000 | 0x458e240000 | 0x458e63bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000458e640000 | 0x458e640000 | 0x458e640fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000458e650000 | 0x458e650000 | 0x458e650fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000458e660000 | 0x458e660000 | 0x458e660fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000458e670000 | 0x458e670000 | 0x458eb61fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000458e670000 | 0x458e670000 | 0x458e671fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000458eb70000 | 0x458eb70000 | 0x458eb70fff | Private Memory | Readable, Writable |
|
|
|
- |
| vgasys.fon | 0x458eb80000 | 0x458eb81fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000458eb90000 | 0x458eb90000 | 0x458ebcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000458ebd0000 | 0x458ebd0000 | 0x458ec0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000458ec10000 | 0x458ec10000 | 0x458ec4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000458ec50000 | 0x458ec50000 | 0x458ec8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000458ec90000 | 0x458ec90000 | 0x458ee17fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000458ee20000 | 0x458ee20000 | 0x458ee20fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000458ee30000 | 0x458ee30000 | 0x458ee6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000458ee70000 | 0x458ee70000 | 0x458eeaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000458eeb0000 | 0x458eeb0000 | 0x458eeeffff | Private Memory | Readable, Writable |
|
|
|
- |
| segoeui.ttf | 0x458eef0000 | 0x458efbdfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000458efc0000 | 0x458efc0000 | 0x458efeffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000458eff0000 | 0x458eff0000 | 0x45903effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000045903f0000 | 0x45903f0000 | 0x459042ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004590430000 | 0x4590430000 | 0x4590430fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004590440000 | 0x4590440000 | 0x4590440fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004590450000 | 0x4590450000 | 0x4590453fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004590450000 | 0x4590450000 | 0x4590452fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004590450000 | 0x4590450000 | 0x459045ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004590460000 | 0x4590460000 | 0x4590462fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004590460000 | 0x4590460000 | 0x459046ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004590470000 | 0x4590470000 | 0x4590472fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004590470000 | 0x4590470000 | 0x4590471fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| windowsshell.manifest | 0x4590470000 | 0x4590470fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000004590480000 | 0x4590480000 | 0x4590481fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6ad6fa000 | 0x7ff6ad6fa000 | 0x7ff6ad6fbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6ad6fc000 | 0x7ff6ad6fc000 | 0x7ff6ad6fdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6ad6fe000 | 0x7ff6ad6fe000 | 0x7ff6ad6fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff6ad700000 | 0x7ff6ad700000 | 0x7ff6ad7fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff6ad800000 | 0x7ff6ad800000 | 0x7ff6ad822fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff6ad824000 | 0x7ff6ad824000 | 0x7ff6ad825fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6ad826000 | 0x7ff6ad826000 | 0x7ff6ad827fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6ad828000 | 0x7ff6ad828000 | 0x7ff6ad829fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6ad82a000 | 0x7ff6ad82a000 | 0x7ff6ad82bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6ad82c000 | 0x7ff6ad82c000 | 0x7ff6ad82cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6ad82e000 | 0x7ff6ad82e000 | 0x7ff6ad82ffff | Private Memory | Readable, Writable |
|
|
|
- |
| csrss.exe | 0x7ff6ad990000 | 0x7ff6ad996fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff9fc680000 | 0x7ff9fc6dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ff9fc6e0000 | 0x7ff9fc6e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sxs.dll | 0x7ff9fc6f0000 | 0x7ff9fc786fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sxssrv.dll | 0x7ff9fc890000 | 0x7ff9fc89cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsrv.dll | 0x7ff9fc8a0000 | 0x7ff9fc8d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| basesrv.dll | 0x7ff9fc8e0000 | 0x7ff9fc8f2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| csrsrv.dll | 0x7ff9fc900000 | 0x7ff9fc915fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ff9fc940000 | 0x7ff9fca4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ff9fcd80000 | 0x7ff9fceb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ff9fd6d0000 | 0x7ff9fd805fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ff9fdb80000 | 0x7ff9fdcc4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ff9fde70000 | 0x7ff9fdfe0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #17: wininit.exe
0
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\system32\wininit.exe |
| Command Line | wininit.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:58 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x178 |
| Parent PID | 0x128 (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
17C
0x
1A0
0x
1A8
0x
1C8
0x
1F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x00000077d5e70000 | 0x77d5e70000 | 0x77d5e8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000077d5e70000 | 0x77d5e70000 | 0x77d5e7ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000077d5e80000 | 0x77d5e80000 | 0x77d5e86fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000077d5e90000 | 0x77d5e90000 | 0x77d5e9efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000077d5ea0000 | 0x77d5ea0000 | 0x77d5f1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x77d5f20000 | 0x77d5f9dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000077d5fa0000 | 0x77d5fa0000 | 0x77d5fa6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000077d5fb0000 | 0x77d5fb0000 | 0x77d5fb2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000077d5fc0000 | 0x77d5fc0000 | 0x77d5fc0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000077d5fd0000 | 0x77d5fd0000 | 0x77d5fd0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000077d5fe0000 | 0x77d5fe0000 | 0x77d60dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000077d60e0000 | 0x77d60e0000 | 0x77d615ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000077d60e0000 | 0x77d60e0000 | 0x77d60e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000077d60f0000 | 0x77d60f0000 | 0x77d60f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| user32.dll.mui | 0x77d60f0000 | 0x77d60f4fff | Memory Mapped File | Readable |
|
|
|
- |
| user32.dll.mui | 0x77d6100000 | 0x77d6104fff | Memory Mapped File | Readable |
|
|
|
- |
| aero_arrow.cur | 0x77d6100000 | 0x77d6107fff | Memory Mapped File | Readable |
|
|
|
- |
| aero_up.cur | 0x77d6100000 | 0x77d6107fff | Memory Mapped File | Readable |
|
|
|
- |
| aero_helpsel.cur | 0x77d6100000 | 0x77d6107fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000077d6100000 | 0x77d6100000 | 0x77d6100fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000077d6110000 | 0x77d6110000 | 0x77d613ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000077d6150000 | 0x77d6150000 | 0x77d615ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000077d6160000 | 0x77d6160000 | 0x77d61dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000077d61e0000 | 0x77d61e0000 | 0x77d6367fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000077d6370000 | 0x77d6370000 | 0x77d64f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000077d6500000 | 0x77d6500000 | 0x77d68fbfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| aero_busy.ani | 0x77d6500000 | 0x77d6587fff | Memory Mapped File | Readable |
|
|
|
- |
| aero_working.ani | 0x77d6500000 | 0x77d6587fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000077d6500000 | 0x77d6500000 | 0x77d657ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x77d6580000 | 0x77d6854fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000077d6900000 | 0x77d6900000 | 0x77d697ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000077d6980000 | 0x77d6980000 | 0x77d69fffff | Private Memory | Readable, Writable |
|
|
|
- |
| malgun.ttf | 0x77d6a00000 | 0x77d7326fff | Memory Mapped File | Readable |
|
|
|
- |
| msyh.ttc | 0x77d6a00000 | 0x77d7ea1fff | Memory Mapped File | Readable |
|
|
|
- |
| batang.ttc | 0x77d6a00000 | 0x77d7982fff | Memory Mapped File | Readable |
|
|
|
- |
| malgunbd.ttf | 0x77d6a00000 | 0x77d7281fff | Memory Mapped File | Readable |
|
|
|
- |
| segoeuib.ttf | 0x77d6a00000 | 0x77d6acbfff | Memory Mapped File | Readable |
|
|
|
- |
| msmincho.ttc | 0x77d6a00000 | 0x77d739dfff | Memory Mapped File | Readable |
|
|
|
- |
| segoeui.ttf | 0x77d6a00000 | 0x77d6acdfff | Memory Mapped File | Readable |
|
|
|
- |
| tahoma.ttf | 0x77d6a00000 | 0x77d6ab6fff | Memory Mapped File | Readable |
|
|
|
- |
| simsun.ttc | 0x77d6a00000 | 0x77d7b69fff | Memory Mapped File | Readable |
|
|
|
- |
| meiryob.ttc | 0x77d6a00000 | 0x77d734afff | Memory Mapped File | Readable |
|
|
|
- |
| msgothic.ttc | 0x77d6a00000 | 0x77d72c8fff | Memory Mapped File | Readable |
|
|
|
- |
| gulim.ttc | 0x77d6a00000 | 0x77d76e5fff | Memory Mapped File | Readable |
|
|
|
- |
| msjhbd.ttc | 0x77d6a00000 | 0x77d77c4fff | Memory Mapped File | Readable |
|
|
|
- |
| msyhbd.ttc | 0x77d6a00000 | 0x77d77cafff | Memory Mapped File | Readable |
|
|
|
- |
| micross.ttf | 0x77d6a00000 | 0x77d6aa2fff | Memory Mapped File | Readable |
|
|
|
- |
| mingliu.ttc | 0x77d6a00000 | 0x77d843bfff | Memory Mapped File | Readable |
|
|
|
- |
| msjh.ttc | 0x77d6a00000 | 0x77d7e7cfff | Memory Mapped File | Readable |
|
|
|
- |
| meiryo.ttc | 0x77d6a00000 | 0x77d7315fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000077d6a00000 | 0x77d6a00000 | 0x77d7dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff78a360000 | 0x7ff78a360000 | 0x7ff78a45ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff78a460000 | 0x7ff78a460000 | 0x7ff78a482fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff78a485000 | 0x7ff78a485000 | 0x7ff78a485fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff78a488000 | 0x7ff78a488000 | 0x7ff78a489fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff78a48a000 | 0x7ff78a48a000 | 0x7ff78a48bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff78a48c000 | 0x7ff78a48c000 | 0x7ff78a48dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff78a48e000 | 0x7ff78a48e000 | 0x7ff78a48ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wininit.exe | 0x7ff78a810000 | 0x7ff78a835fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x7ff9fc0d0000 | 0x7ff9fc127fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ff9fc640000 | 0x7ff9fc66afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wls0wndh.dll | 0x7ff9fc780000 | 0x7ff9fc787fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kbdus.dll | 0x7ff9fc7e0000 | 0x7ff9fc7e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininitext.dll | 0x7ff9fc810000 | 0x7ff9fc819fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ff9fc870000 | 0x7ff9fc883fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ff9fc940000 | 0x7ff9fca4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ff9fcd80000 | 0x7ff9fceb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ff9fcec0000 | 0x7ff9fcf66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ff9fd250000 | 0x7ff9fd2a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ff9fd6d0000 | 0x7ff9fd805fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ff9fd970000 | 0x7ff9fd9c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ff9fdb80000 | 0x7ff9fdcc4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ff9fde70000 | 0x7ff9fdfe0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ff9ff470000 | 0x7ff9ff478fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #18: winlogon.exe
0
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\system32\winlogon.exe |
| Command Line | winlogon.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:57 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x194 |
| Parent PID | 0x168 (c:\windows\system32\smss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
198
0x
1B0
0x
1B4
0x
278
0x
27C
0x
2A0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000e71f8e0000 | 0xe71f8e0000 | 0xe71f8fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e71f8e0000 | 0xe71f8e0000 | 0xe71f8effff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e71f8f0000 | 0xe71f8f0000 | 0xe71f8f6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e71f900000 | 0xe71f900000 | 0xe71f90efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e71f910000 | 0xe71f910000 | 0xe71f98ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xe71f990000 | 0xe71fa0dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e71fa10000 | 0xe71fa10000 | 0xe71fa7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e71fa10000 | 0xe71fa10000 | 0xe71fa16fff | Private Memory | Readable, Writable |
|
|
|
- |
| imm32.dll | 0xe71fa20000 | 0xe71fa53fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000e71fa20000 | 0xe71fa20000 | 0xe71fa22fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e71fa30000 | 0xe71fa30000 | 0xe71fa30fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e71fa40000 | 0xe71fa40000 | 0xe71fa40fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e71fa50000 | 0xe71fa50000 | 0xe71fa50fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e71fa60000 | 0xe71fa60000 | 0xe71fa60fff | Private Memory | Readable, Writable |
|
|
|
- |
| user32.dll.mui | 0xe71fa60000 | 0xe71fa64fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e71fa70000 | 0xe71fa70000 | 0xe71fa7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e71fa80000 | 0xe71fa80000 | 0xe71fafffff | Private Memory | Readable, Writable |
|
|
|
- |
| user32.dll.mui | 0xe71fb00000 | 0xe71fb04fff | Memory Mapped File | Readable |
|
|
|
- |
| aero_arrow.cur | 0xe71fb00000 | 0xe71fb07fff | Memory Mapped File | Readable |
|
|
|
- |
| aero_up.cur | 0xe71fb00000 | 0xe71fb07fff | Memory Mapped File | Readable |
|
|
|
- |
| aero_helpsel.cur | 0xe71fb00000 | 0xe71fb07fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e71fb00000 | 0xe71fb00000 | 0xe71fb00fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e71fb00000 | 0xe71fb00000 | 0xe71fb00fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e71fb00000 | 0xe71fb00000 | 0xe71fb03fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e71fb00000 | 0xe71fb00000 | 0xe71fb01fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e71fb10000 | 0xe71fb10000 | 0xe71fb27fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e71fb30000 | 0xe71fb30000 | 0xe71fc2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e71fc30000 | 0xe71fc30000 | 0xe71fdb7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e71fdc0000 | 0xe71fdc0000 | 0xe71ff40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e71ff50000 | 0xe71ff50000 | 0xe72034bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| aero_busy.ani | 0xe71ff50000 | 0xe71ffd7fff | Memory Mapped File | Readable |
|
|
|
- |
| aero_working.ani | 0xe71ff50000 | 0xe71ffd7fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e71ff50000 | 0xe71ff50000 | 0xe71ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e71ff50000 | 0xe71ff50000 | 0xe71ff8bfff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e71ff50000 | 0xe71ff50000 | 0xe71ff50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e71ff50000 | 0xe71ff50000 | 0xe71ffcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e71ff50000 | 0xe71ff50000 | 0xe71ff50fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e71ff90000 | 0xe71ff90000 | 0xe71ffcbfff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e71ffd0000 | 0xe71ffd0000 | 0xe71ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e71ffe0000 | 0xe71ffe0000 | 0xe720147fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e71ffe0000 | 0xe71ffe0000 | 0xe7200d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e71ffe0000 | 0xe71ffe0000 | 0xe72005ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e720060000 | 0xe720060000 | 0xe720060fff | Private Memory | Readable, Writable |
|
|
|
- |
| sysmain.sdb | 0xe720060000 | 0xe7200c9fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e720060000 | 0xe720060000 | 0xe7200dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e7200e0000 | 0xe7200e0000 | 0xe7201d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e720150000 | 0xe720150000 | 0xe720240fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e720350000 | 0xe720350000 | 0xe7203cffff | Private Memory | Readable, Writable |
|
|
|
- |
| malgun.ttf | 0xe7203d0000 | 0xe720cf6fff | Memory Mapped File | Readable |
|
|
|
- |
| msyh.ttc | 0xe7203d0000 | 0xe721871fff | Memory Mapped File | Readable |
|
|
|
- |
| batang.ttc | 0xe7203d0000 | 0xe721352fff | Memory Mapped File | Readable |
|
|
|
- |
| malgunbd.ttf | 0xe7203d0000 | 0xe720c51fff | Memory Mapped File | Readable |
|
|
|
- |
| segoeuib.ttf | 0xe7203d0000 | 0xe72049bfff | Memory Mapped File | Readable |
|
|
|
- |
| msmincho.ttc | 0xe7203d0000 | 0xe720d6dfff | Memory Mapped File | Readable |
|
|
|
- |
| segoeui.ttf | 0xe7203d0000 | 0xe72049dfff | Memory Mapped File | Readable |
|
|
|
- |
| tahoma.ttf | 0xe7203d0000 | 0xe720486fff | Memory Mapped File | Readable |
|
|
|
- |
| simsun.ttc | 0xe7203d0000 | 0xe721539fff | Memory Mapped File | Readable |
|
|
|
- |
| meiryob.ttc | 0xe7203d0000 | 0xe720d1afff | Memory Mapped File | Readable |
|
|
|
- |
| msgothic.ttc | 0xe7203d0000 | 0xe720c98fff | Memory Mapped File | Readable |
|
|
|
- |
| gulim.ttc | 0xe7203d0000 | 0xe7210b5fff | Memory Mapped File | Readable |
|
|
|
- |
| msjhbd.ttc | 0xe7203d0000 | 0xe721194fff | Memory Mapped File | Readable |
|
|
|
- |
| msyhbd.ttc | 0xe7203d0000 | 0xe72119afff | Memory Mapped File | Readable |
|
|
|
- |
| micross.ttf | 0xe7203d0000 | 0xe720472fff | Memory Mapped File | Readable |
|
|
|
- |
| mingliu.ttc | 0xe7203d0000 | 0xe721e0bfff | Memory Mapped File | Readable |
|
|
|
- |
| msjh.ttc | 0xe7203d0000 | 0xe72184cfff | Memory Mapped File | Readable |
|
|
|
- |
| meiryo.ttc | 0xe7203d0000 | 0xe720ce5fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000e7203d0000 | 0xe7203d0000 | 0xe7203fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e720400000 | 0xe720400000 | 0xe720686fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e720690000 | 0xe720690000 | 0xe720916fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e720690000 | 0xe720690000 | 0xe721a8ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0xe721a90000 | 0xe721d64fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000e721d70000 | 0xe721d70000 | 0xe72216bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff78b14e000 | 0x7ff78b14e000 | 0x7ff78b14ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff78b150000 | 0x7ff78b150000 | 0x7ff78b24ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff78b250000 | 0x7ff78b250000 | 0x7ff78b272fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff78b274000 | 0x7ff78b274000 | 0x7ff78b275fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff78b276000 | 0x7ff78b276000 | 0x7ff78b277fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff78b278000 | 0x7ff78b278000 | 0x7ff78b279fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff78b27a000 | 0x7ff78b27a000 | 0x7ff78b27afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff78b27c000 | 0x7ff78b27c000 | 0x7ff78b27dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff78b27e000 | 0x7ff78b27e000 | 0x7ff78b27ffff | Private Memory | Readable, Writable |
|
|
|
- |
| winlogon.exe | 0x7ff78b5a0000 | 0x7ff78b62efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwm.exe | 0x7ff7a8340000 | 0x7ff7a8360fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apphelp.dll | 0x7ff9fb4a0000 | 0x7ff9fb527fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dpapi.dll | 0x7ff9fb560000 | 0x7ff9fb568fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ff9fb5c0000 | 0x7ff9fb6e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxinit.dll | 0x7ff9fb720000 | 0x7ff9fb735fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ff9fc640000 | 0x7ff9fc66afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff9fc680000 | 0x7ff9fc6dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ff9fc6e0000 | 0x7ff9fc6e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x7ff9fc790000 | 0x7ff9fc7e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kbdus.dll | 0x7ff9fc7e0000 | 0x7ff9fc7e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winlogonext.dll | 0x7ff9fc7f0000 | 0x7ff9fc807fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x7ff9fc820000 | 0x7ff9fc864fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ff9fc870000 | 0x7ff9fc883fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x7ff9fc920000 | 0x7ff9fc931fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ff9fc940000 | 0x7ff9fca4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x7ff9fcaf0000 | 0x7ff9fccc6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ff9fcd80000 | 0x7ff9fceb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ff9fcec0000 | 0x7ff9fcf66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ff9fcf70000 | 0x7ff9fcfa3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ff9fcfb0000 | 0x7ff9fd185fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ff9fd2b0000 | 0x7ff9fd354fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ff9fd6d0000 | 0x7ff9fd805fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ff9fd970000 | 0x7ff9fd9c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ff9fdb80000 | 0x7ff9fdcc4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ff9fdd30000 | 0x7ff9fde68fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ff9fde70000 | 0x7ff9fdfe0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #19: services.exe
0
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\system32\services.exe |
| Command Line | C:\Windows\system32\services.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:38, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1d0 |
| Parent PID | 0x178 (c:\windows\system32\wininit.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
1D4
0x
208
0x
20C
0x
224
0x
254
0x
2D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000007a05a80000 | 0x7a05a80000 | 0x7a05a9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000007a05a80000 | 0x7a05a80000 | 0x7a05a8ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000007a05a90000 | 0x7a05a90000 | 0x7a05a96fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000007a05aa0000 | 0x7a05aa0000 | 0x7a05aaefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000007a05ab0000 | 0x7a05ab0000 | 0x7a05b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000007a05b30000 | 0x7a05b30000 | 0x7a05b33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000007a05b40000 | 0x7a05b40000 | 0x7a05b40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x7a05b50000 | 0x7a05bcdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000007a05bd0000 | 0x7a05bd0000 | 0x7a05bd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| 1394.pnf | 0x7a05be0000 | 0x7a05be4fff | Memory Mapped File | Readable |
|
|
|
- |
| acpi.pnf | 0x7a05be0000 | 0x7a05be2fff | Memory Mapped File | Readable |
|
|
|
- |
| acpipagr.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| acpipmi.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| machine.pnf | 0x7a05be0000 | 0x7a05cbffff | Memory Mapped File | Readable |
|
|
|
- |
| cpu.pnf | 0x7a05be0000 | 0x7a05be6fff | Memory Mapped File | Readable |
|
|
|
- |
| arcsas.pnf | 0x7a05be0000 | 0x7a05beefff | Memory Mapped File | Readable |
|
|
|
- |
| mshdc.pnf | 0x7a05be0000 | 0x7a05bf0fff | Memory Mapped File | Readable |
|
|
|
- |
| netbvbda.pnf | 0x7a05be0000 | 0x7a05be3fff | Memory Mapped File | Readable |
|
|
|
- |
| bcmfn2.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| bthaudhid.pnf | 0x7a05be0000 | 0x7a05be2fff | Memory Mapped File | Readable |
|
|
|
- |
| bthspp.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| cdrom.pnf | 0x7a05be0000 | 0x7a05be3fff | Memory Mapped File | Readable |
|
|
|
- |
| circlass.pnf | 0x7a05be0000 | 0x7a05be5fff | Memory Mapped File | Readable |
|
|
|
- |
| cmbatt.pnf | 0x7a05be0000 | 0x7a05be2fff | Memory Mapped File | Readable |
|
|
|
- |
| compositebus.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| disk.pnf | 0x7a05be0000 | 0x7a05be4fff | Memory Mapped File | Readable |
|
|
|
- |
| wdmaudio.pnf | 0x7a05be0000 | 0x7a05be5fff | Memory Mapped File | Readable |
|
|
|
- |
| net1ic64.pnf | 0x7a05be0000 | 0x7a05bfafff | Memory Mapped File | Readable |
|
|
|
- |
| netevbda.pnf | 0x7a05be0000 | 0x7a05bfdfff | Memory Mapped File | Readable |
|
|
|
- |
| ehstortcgdrv.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| errdev.pnf | 0x7a05be0000 | 0x7a05be2fff | Memory Mapped File | Readable |
|
|
|
- |
| fdc.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| flpydisk.pnf | 0x7a05be0000 | 0x7a05be2fff | Memory Mapped File | Readable |
|
|
|
- |
| wgencounter.pnf | 0x7a05be0000 | 0x7a05be3fff | Memory Mapped File | Readable |
|
|
|
- |
| hdaudio.pnf | 0x7a05be0000 | 0x7a05bfffff | Memory Mapped File | Readable |
|
|
|
- |
| hdaudbus.pnf | 0x7a05be0000 | 0x7a05be2fff | Memory Mapped File | Readable |
|
|
|
- |
| hidbatt.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| hidbth.pnf | 0x7a05be0000 | 0x7a05be2fff | Memory Mapped File | Readable |
|
|
|
- |
| hidir.pnf | 0x7a05be0000 | 0x7a05be8fff | Memory Mapped File | Readable |
|
|
|
- |
| input.pnf | 0x7a05be0000 | 0x7a05c03fff | Memory Mapped File | Readable |
|
|
|
- |
| keyboard.pnf | 0x7a05be0000 | 0x7a05bfdfff | Memory Mapped File | Readable |
|
|
|
- |
| ialpssi_gpio.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| ialpssi_i2c.pnf | 0x7a05be0000 | 0x7a05be2fff | Memory Mapped File | Readable |
|
|
|
- |
| iastorv.pnf | 0x7a05be0000 | 0x7a05be3fff | Memory Mapped File | Readable |
|
|
|
- |
| intelpep.pnf | 0x7a05be0000 | 0x7a05be2fff | Memory Mapped File | Readable |
|
|
|
- |
| iscsi.pnf | 0x7a05be0000 | 0x7a05be2fff | Memory Mapped File | Readable |
|
|
|
- |
| kdnic.pnf | 0x7a05be0000 | 0x7a05be2fff | Memory Mapped File | Readable |
|
|
|
- |
| msmouse.pnf | 0x7a05be0000 | 0x7a05bf6fff | Memory Mapped File | Readable |
|
|
|
- |
| msgpiowin32.pnf | 0x7a05be0000 | 0x7a05be2fff | Memory Mapped File | Readable |
|
|
|
- |
| ksfilter.pnf | 0x7a05be0000 | 0x7a05be4fff | Memory Mapped File | Readable |
|
|
|
- |
| mssmbios.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| mtconfig.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| ndisuio.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| netnb.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| msports.pnf | 0x7a05be0000 | 0x7a05be8fff | Memory Mapped File | Readable |
|
|
|
- |
| rdpbus.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| sbp2.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| sdstor.pnf | 0x7a05be0000 | 0x7a05be2fff | Memory Mapped File | Readable |
|
|
|
- |
| spaceport.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| stornvme.pnf | 0x7a05be0000 | 0x7a05be2fff | Memory Mapped File | Readable |
|
|
|
- |
| swenum.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| netip6.pnf | 0x7a05be0000 | 0x7a05be4fff | Memory Mapped File | Readable |
|
|
|
- |
| termmou.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| tpm.pnf | 0x7a05be0000 | 0x7a05be3fff | Memory Mapped File | Readable |
|
|
|
- |
| tsgenericusbdriver.pnf | 0x7a05be0000 | 0x7a05be2fff | Memory Mapped File | Readable |
|
|
|
- |
| nettun.pnf | 0x7a05be0000 | 0x7a05be3fff | Memory Mapped File | Readable |
|
|
|
- |
| uaspstor.pnf | 0x7a05be0000 | 0x7a05be2fff | Memory Mapped File | Readable |
|
|
|
- |
| umbus.pnf | 0x7a05be0000 | 0x7a05be2fff | Memory Mapped File | Readable |
|
|
|
- |
| umpass.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| usb.pnf | 0x7a05be0000 | 0x7a05bf1fff | Memory Mapped File | Readable |
|
|
|
- |
| usbcir.pnf | 0x7a05be0000 | 0x7a05beefff | Memory Mapped File | Readable |
|
|
|
- |
| usbport.pnf | 0x7a05be0000 | 0x7a05c02fff | Memory Mapped File | Readable |
|
|
|
- |
| usbhub3.pnf | 0x7a05be0000 | 0x7a05be4fff | Memory Mapped File | Readable |
|
|
|
- |
| usbprint.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| usbstor.pnf | 0x7a05be0000 | 0x7a05beefff | Memory Mapped File | Readable |
|
|
|
- |
| usbxhci.pnf | 0x7a05be0000 | 0x7a05be2fff | Memory Mapped File | Readable |
|
|
|
- |
| vdrvroot.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| volmgr.pnf | 0x7a05be0000 | 0x7a05be2fff | Memory Mapped File | Readable |
|
|
|
- |
| volume.pnf | 0x7a05be0000 | 0x7a05be1fff | Memory Mapped File | Readable |
|
|
|
- |
| wvpcivsp.pnf | 0x7a05be0000 | 0x7a05be2fff | Memory Mapped File | Readable |
|
|
|
- |
| hidbthle.pnf | 0x7a05be0000 | 0x7a05be3fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000007a05be0000 | 0x7a05be0000 | 0x7a05c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000007a05c60000 | 0x7a05c60000 | 0x7a05c60fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000007a05c60000 | 0x7a05c60000 | 0x7a05c67fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000007a05c70000 | 0x7a05c70000 | 0x7a05c72fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000007a05c80000 | 0x7a05c80000 | 0x7a05c80fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000007a05cd0000 | 0x7a05cd0000 | 0x7a05dcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000007a05dd0000 | 0x7a05dd0000 | 0x7a05efffff | Private Memory | Readable, Writable |
|
|
|
- |
| monitor.pnf | 0x7a05dd0000 | 0x7a05ee8fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000007a05dd0000 | 0x7a05dd0000 | 0x7a05e4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000007a05e50000 | 0x7a05e50000 | 0x7a05ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000007a05ef0000 | 0x7a05ef0000 | 0x7a05efffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x7a05f00000 | 0x7a061d4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000007a061e0000 | 0x7a061e0000 | 0x7a065dbfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000007a065e0000 | 0x7a065e0000 | 0x7a0665ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000007a06660000 | 0x7a06660000 | 0x7a066dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff7e5d40000 | 0x7ff7e5d40000 | 0x7ff7e5e3ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff7e5e40000 | 0x7ff7e5e40000 | 0x7ff7e5e62fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff7e5e63000 | 0x7ff7e5e63000 | 0x7ff7e5e63fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7e5e64000 | 0x7ff7e5e64000 | 0x7ff7e5e65fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7e5e66000 | 0x7ff7e5e66000 | 0x7ff7e5e67fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7e5e68000 | 0x7ff7e5e68000 | 0x7ff7e5e69fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7e5e6a000 | 0x7ff7e5e6a000 | 0x7ff7e5e6bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7e5e6c000 | 0x7ff7e5e6c000 | 0x7ff7e5e6dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7e5e6e000 | 0x7ff7e5e6e000 | 0x7ff7e5e6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| services.exe | 0x7ff7e6850000 | 0x7ff7e68b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| authz.dll | 0x7ff9fbb30000 | 0x7ff9fbb77fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| scesrv.dll | 0x7ff9fbb80000 | 0x7ff9fbc07fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| spinf.dll | 0x7ff9fc460000 | 0x7ff9fc47cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7ff9fc480000 | 0x7ff9fc4a4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| eventaggregation.dll | 0x7ff9fc4b0000 | 0x7ff9fc4bafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dabapi.dll | 0x7ff9fc4c0000 | 0x7ff9fc4c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| scext.dll | 0x7ff9fc4d0000 | 0x7ff9fc4dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ff9fc640000 | 0x7ff9fc66afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff9fc680000 | 0x7ff9fc6dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ff9fc6e0000 | 0x7ff9fc6e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ff9fc870000 | 0x7ff9fc883fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ff9fc940000 | 0x7ff9fca4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ff9fcd80000 | 0x7ff9fceb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ff9fcec0000 | 0x7ff9fcf66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ff9fd6d0000 | 0x7ff9fd805fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ff9fd970000 | 0x7ff9fd9c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #20: lsass.exe
0
0
| Information | Value |
|---|---|
| ID | #20 |
| File Name | c:\windows\system32\lsass.exe |
| Command Line | C:\Windows\system32\lsass.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:40, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:53 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1d8 |
| Parent PID | 0x178 (c:\windows\system32\wininit.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
1DC
0x
1E0
0x
1E4
0x
1E8
0x
1EC
0x
1F4
0x
1F8
0x
1FC
0x
200
0x
204
0x
3B0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000003e43290000 | 0x3e43290000 | 0x3e432affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003e43290000 | 0x3e43290000 | 0x3e4329ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003e432a0000 | 0x3e432a0000 | 0x3e432a0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003e432b0000 | 0x3e432b0000 | 0x3e432befff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000003e432c0000 | 0x3e432c0000 | 0x3e4333ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e432c0000 | 0x3e432c0000 | 0x3e432c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003e432c0000 | 0x3e432c0000 | 0x3e432c7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003e432c0000 | 0x3e432c0000 | 0x3e432fbfff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| c935af96-e1e7-4ce7-8449-cd5484d3bbb0 | 0x3e43300000 | 0x3e43300fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000003e43340000 | 0x3e43340000 | 0x3e43343fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000003e43350000 | 0x3e43350000 | 0x3e43350fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000003e43360000 | 0x3e43360000 | 0x3e43361fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x3e43370000 | 0x3e433edfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000003e433f0000 | 0x3e433f0000 | 0x3e433f6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e43400000 | 0x3e43400000 | 0x3e43406fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003e43410000 | 0x3e43410000 | 0x3e4341ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e43420000 | 0x3e43420000 | 0x3e4351ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e43520000 | 0x3e43520000 | 0x3e4359ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e435a0000 | 0x3e435a0000 | 0x3e4360ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003e435a0000 | 0x3e435a0000 | 0x3e435affff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003e435b0000 | 0x3e435b0000 | 0x3e435b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000003e435c0000 | 0x3e435c0000 | 0x3e435c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003e435d0000 | 0x3e435d0000 | 0x3e435dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e435e0000 | 0x3e435e0000 | 0x3e435e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003e435e0000 | 0x3e435e0000 | 0x3e435e0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003e435e0000 | 0x3e435e0000 | 0x3e435effff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| c_28591.nls | 0x3e435e0000 | 0x3e435f0fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000003e43600000 | 0x3e43600000 | 0x3e4360ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e43610000 | 0x3e43610000 | 0x3e4368ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e43690000 | 0x3e43690000 | 0x3e43790fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e43690000 | 0x3e43690000 | 0x3e4370ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e43710000 | 0x3e43710000 | 0x3e4378ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003e43790000 | 0x3e43790000 | 0x3e43b8bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000003e43b90000 | 0x3e43b90000 | 0x3e43c90fff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x3e43b90000 | 0x3e43e64fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000003e43e70000 | 0x3e43e70000 | 0x3e43e7ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e43e70000 | 0x3e43e70000 | 0x3e43e70fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e43e80000 | 0x3e43e80000 | 0x3e43efffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e43f00000 | 0x3e43f00000 | 0x3e43f00fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e43f10000 | 0x3e43f10000 | 0x3e43f10fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e43f20000 | 0x3e43f20000 | 0x3e43f20fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e43f30000 | 0x3e43f30000 | 0x3e43f30fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e43f40000 | 0x3e43f40000 | 0x3e43f40fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e43f50000 | 0x3e43f50000 | 0x3e43f50fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e43f60000 | 0x3e43f60000 | 0x3e43f60fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e43f70000 | 0x3e43f70000 | 0x3e43f70fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e43f80000 | 0x3e43f80000 | 0x3e43ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e44000000 | 0x3e44000000 | 0x3e4407ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e44000000 | 0x3e44000000 | 0x3e440fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e44080000 | 0x3e44080000 | 0x3e440fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003e44080000 | 0x3e44080000 | 0x3e44080fff | Private Memory | Readable, Writable |
|
|
|
- |
| b2178b99-f9f6-47ad-b0eb-4e709bc8dfda | 0x3e44100000 | 0x3e44100fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000003e44100000 | 0x3e44100000 | 0x3e44100fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6f3a4a000 | 0x7ff6f3a4a000 | 0x7ff6f3a4bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6f3a4c000 | 0x7ff6f3a4c000 | 0x7ff6f3a4dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6f3a4e000 | 0x7ff6f3a4e000 | 0x7ff6f3a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff6f3a50000 | 0x7ff6f3a50000 | 0x7ff6f3b4ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff6f3b50000 | 0x7ff6f3b50000 | 0x7ff6f3b72fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff6f3b73000 | 0x7ff6f3b73000 | 0x7ff6f3b74fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6f3b75000 | 0x7ff6f3b75000 | 0x7ff6f3b76fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6f3b77000 | 0x7ff6f3b77000 | 0x7ff6f3b78fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6f3b79000 | 0x7ff6f3b79000 | 0x7ff6f3b7afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6f3b7b000 | 0x7ff6f3b7b000 | 0x7ff6f3b7cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6f3b7d000 | 0x7ff6f3b7d000 | 0x7ff6f3b7efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6f3b7f000 | 0x7ff6f3b7f000 | 0x7ff6f3b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| lsass.exe | 0x7ff6f3c20000 | 0x7ff6f3c2dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wevtapi.dll | 0x7ff9fa450000 | 0x7ff9fa4b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x7ff9fbb20000 | 0x7ff9fbb2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| scecli.dll | 0x7ff9fbc10000 | 0x7ff9fbc56fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| credssp.dll | 0x7ff9fbc50000 | 0x7ff9fbc59fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dpapisrv.dll | 0x7ff9fbc60000 | 0x7ff9fbc92fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| efslsaext.dll | 0x7ff9fbca0000 | 0x7ff9fbcb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| schannel.dll | 0x7ff9fbcc0000 | 0x7ff9fbd2afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wdigest.dll | 0x7ff9fbd30000 | 0x7ff9fbd69fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ff9fbd70000 | 0x7ff9fbda4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| livessp.dll | 0x7ff9fbdb0000 | 0x7ff9fbe0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pku2u.dll | 0x7ff9fbe10000 | 0x7ff9fbe56fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| tspkg.dll | 0x7ff9fbe60000 | 0x7ff9fbe7afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ff9fbe80000 | 0x7ff9fbe9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x7ff9fbea0000 | 0x7ff9fbedcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x7ff9fbee0000 | 0x7ff9fbf82fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netlogon.dll | 0x7ff9fbf90000 | 0x7ff9fc05efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msv1_0.dll | 0x7ff9fc060000 | 0x7ff9fc0c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x7ff9fc0d0000 | 0x7ff9fc127fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ff9fc130000 | 0x7ff9fc14dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kerberos.dll | 0x7ff9fc150000 | 0x7ff9fc23afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptdll.dll | 0x7ff9fc240000 | 0x7ff9fc257fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| negoexts.dll | 0x7ff9fc260000 | 0x7ff9fc285fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netjoin.dll | 0x7ff9fc290000 | 0x7ff9fc2dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msprivs.dll | 0x7ff9fc2e0000 | 0x7ff9fc2e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntasn1.dll | 0x7ff9fc2f0000 | 0x7ff9fc329fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ncrypt.dll | 0x7ff9fc330000 | 0x7ff9fc353fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ff9fc360000 | 0x7ff9fc385fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samsrv.dll | 0x7ff9fc390000 | 0x7ff9fc45dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lsasrv.dll | 0x7ff9fc4e0000 | 0x7ff9fc63cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ff9fc640000 | 0x7ff9fc66afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspisrv.dll | 0x7ff9fc670000 | 0x7ff9fc67afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff9fc680000 | 0x7ff9fc6dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ff9fc6e0000 | 0x7ff9fc6e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x7ff9fc790000 | 0x7ff9fc7e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x7ff9fc820000 | 0x7ff9fc864fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ff9fc870000 | 0x7ff9fc883fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x7ff9fc920000 | 0x7ff9fc931fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ff9fc940000 | 0x7ff9fca4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ff9fca50000 | 0x7ff9fca99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x7ff9fcaf0000 | 0x7ff9fccc6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ff9fcd80000 | 0x7ff9fceb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ff9fcec0000 | 0x7ff9fcf66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ff9fd250000 | 0x7ff9fd2a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ff9fd2b0000 | 0x7ff9fd354fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ff9fd6d0000 | 0x7ff9fd805fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ff9fd970000 | 0x7ff9fd9c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ff9ff470000 | 0x7ff9ff478fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #21: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k DcomLaunch |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:49, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:44 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x210 |
| Parent PID | 0x1d0 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
214
0x
218
0x
21C
0x
220
0x
228
0x
23C
0x
240
0x
244
0x
24C
0x
258
0x
25C
0x
270
0x
274
0x
290
0x
294
0x
13C
0x
1FC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000009b9c480000 | 0x9b9c480000 | 0x9b9c49ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000009b9c480000 | 0x9b9c480000 | 0x9b9c48ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009b9c490000 | 0x9b9c490000 | 0x9b9c496fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000009b9c4a0000 | 0x9b9c4a0000 | 0x9b9c4aefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000009b9c4b0000 | 0x9b9c4b0000 | 0x9b9c52ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000009b9c530000 | 0x9b9c530000 | 0x9b9c533fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000009b9c540000 | 0x9b9c540000 | 0x9b9c540fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000009b9c550000 | 0x9b9c550000 | 0x9b9c551fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x9b9c560000 | 0x9b9c5ddfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000009b9c5e0000 | 0x9b9c5e0000 | 0x9b9c5e6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009b9c5f0000 | 0x9b9c5f0000 | 0x9b9c5f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000009b9c5f0000 | 0x9b9c5f0000 | 0x9b9c5f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000009b9c600000 | 0x9b9c600000 | 0x9b9c600fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000009b9c610000 | 0x9b9c610000 | 0x9b9c626fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000009b9c610000 | 0x9b9c610000 | 0x9b9c610fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000009b9c620000 | 0x9b9c620000 | 0x9b9c620fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009b9c630000 | 0x9b9c630000 | 0x9b9c72ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009b9c730000 | 0x9b9c730000 | 0x9b9c7affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009b9c7b0000 | 0x9b9c7b0000 | 0x9b9c82ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x9b9c830000 | 0x9b9cb04fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000009b9cb10000 | 0x9b9cb10000 | 0x9b9ccaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009b9cb10000 | 0x9b9cb10000 | 0x9b9cb8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009b9cb90000 | 0x9b9cb90000 | 0x9b9cc9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009b9cb90000 | 0x9b9cb90000 | 0x9b9cc0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009b9cc10000 | 0x9b9cc10000 | 0x9b9cc8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009b9cc90000 | 0x9b9cc90000 | 0x9b9cc9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009b9cca0000 | 0x9b9cca0000 | 0x9b9ccaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009b9ccb0000 | 0x9b9ccb0000 | 0x9b9cd2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000009b9ccb0000 | 0x9b9ccb0000 | 0x9b9ccb0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000009b9ccc0000 | 0x9b9ccc0000 | 0x9b9ccc0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000009b9cd30000 | 0x9b9cd30000 | 0x9b9cdaffff | Private Memory | Readable, Writable |
|
|
|
- |
| ole32.dll | 0x9b9cdb0000 | 0x9b9cf28fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000009b9cdb0000 | 0x9b9cdb0000 | 0x9b9ceaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009b9ceb0000 | 0x9b9ceb0000 | 0x9b9d08ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009b9ceb0000 | 0x9b9ceb0000 | 0x9b9cf2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009b9cf30000 | 0x9b9cf30000 | 0x9b9cf30fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009b9cf30000 | 0x9b9cf30000 | 0x9b9cfaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009b9cfb0000 | 0x9b9cfb0000 | 0x9b9d02ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009b9d080000 | 0x9b9d080000 | 0x9b9d08ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000009b9d090000 | 0x9b9d090000 | 0x9b9d10ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606a36000 | 0x7ff606a36000 | 0x7ff606a37fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606a38000 | 0x7ff606a38000 | 0x7ff606a39fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606a3a000 | 0x7ff606a3a000 | 0x7ff606a3bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606a3c000 | 0x7ff606a3c000 | 0x7ff606a3dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606a3e000 | 0x7ff606a3e000 | 0x7ff606a3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff606a40000 | 0x7ff606a40000 | 0x7ff606b3ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff606b40000 | 0x7ff606b40000 | 0x7ff606b62fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff606b63000 | 0x7ff606b63000 | 0x7ff606b64fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606b65000 | 0x7ff606b65000 | 0x7ff606b66fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606b67000 | 0x7ff606b67000 | 0x7ff606b68fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606b69000 | 0x7ff606b69000 | 0x7ff606b6afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606b6b000 | 0x7ff606b6b000 | 0x7ff606b6cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606b6d000 | 0x7ff606b6d000 | 0x7ff606b6efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606b6f000 | 0x7ff606b6f000 | 0x7ff606b6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| svchost.exe | 0x7ff606dc0000 | 0x7ff606dcbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wtsapi32.dll | 0x7ff9f8c60000 | 0x7ff9f8c70fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dab.dll | 0x7ff9fb530000 | 0x7ff9fb54afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bi.dll | 0x7ff9fb550000 | 0x7ff9fb55afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| systemeventsbrokerserver.dll | 0x7ff9fb570000 | 0x7ff9fb5b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7ff9fb6f0000 | 0x7ff9fb715fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ff9fb740000 | 0x7ff9fb749fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psmsrv.dll | 0x7ff9fb750000 | 0x7ff9fb773fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wmsgapi.dll | 0x7ff9fb780000 | 0x7ff9fb788fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sysntfy.dll | 0x7ff9fb790000 | 0x7ff9fb79afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bisrv.dll | 0x7ff9fb860000 | 0x7ff9fb8a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lsm.dll | 0x7ff9fb8b0000 | 0x7ff9fb963fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcss.dll | 0x7ff9fb9b0000 | 0x7ff9fba6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gpapi.dll | 0x7ff9fba70000 | 0x7ff9fba92fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| hid.dll | 0x7ff9fbaa0000 | 0x7ff9fbaacfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pcwum.dll | 0x7ff9fbab0000 | 0x7ff9fbabdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| umpoext.dll | 0x7ff9fbac0000 | 0x7ff9fbacefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| umpo.dll | 0x7ff9fbad0000 | 0x7ff9fbae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| umpnpmgr.dll | 0x7ff9fbaf0000 | 0x7ff9fbb12fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ff9fbe80000 | 0x7ff9fbe9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ff9fc640000 | 0x7ff9fc66afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff9fc680000 | 0x7ff9fc6dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ff9fc6e0000 | 0x7ff9fc6e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x7ff9fc790000 | 0x7ff9fc7e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x7ff9fc820000 | 0x7ff9fc864fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ff9fc870000 | 0x7ff9fc883fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ff9fc940000 | 0x7ff9fca4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ff9fca50000 | 0x7ff9fca99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ff9fcd80000 | 0x7ff9fceb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ff9fcec0000 | 0x7ff9fcf66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ff9fcfb0000 | 0x7ff9fd185fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ff9fd190000 | 0x7ff9fd246fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ff9fd2b0000 | 0x7ff9fd354fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ff9fd6d0000 | 0x7ff9fd805fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7ff9fd8c0000 | 0x7ff9fd963fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ff9fd970000 | 0x7ff9fd9c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #22: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k RPCSS |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:43 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x22c |
| Parent PID | 0x1d0 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
230
0x
234
0x
238
0x
248
0x
250
0x
260
0x
264
0x
268
0x
28C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000004de72a0000 | 0x4de72a0000 | 0x4de72bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004de72a0000 | 0x4de72a0000 | 0x4de72affff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004de72b0000 | 0x4de72b0000 | 0x4de72b6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004de72c0000 | 0x4de72c0000 | 0x4de72cefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000004de72d0000 | 0x4de72d0000 | 0x4de734ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004de7350000 | 0x4de7350000 | 0x4de7353fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000004de7360000 | 0x4de7360000 | 0x4de7360fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000004de7370000 | 0x4de7370000 | 0x4de7371fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x4de7380000 | 0x4de73fdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000004de7400000 | 0x4de7400000 | 0x4de747ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004de7480000 | 0x4de7480000 | 0x4de7480fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004de7480000 | 0x4de7480000 | 0x4de7486fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004de7490000 | 0x4de7490000 | 0x4de7492fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000004de74a0000 | 0x4de74a0000 | 0x4de74a0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004de74b0000 | 0x4de74b0000 | 0x4de74b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000004de74c0000 | 0x4de74c0000 | 0x4de75bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004de75c0000 | 0x4de75c0000 | 0x4de763ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x4de7640000 | 0x4de7914fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000004de7920000 | 0x4de7920000 | 0x4de799ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004de79a0000 | 0x4de79a0000 | 0x4de7b4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004de79a0000 | 0x4de79a0000 | 0x4de7a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004de7a20000 | 0x4de7a20000 | 0x4de7a9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000004de7aa0000 | 0x4de7aa0000 | 0x4de7b1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004de7b20000 | 0x4de7b20000 | 0x4de7b20fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000004de7b40000 | 0x4de7b40000 | 0x4de7b4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000004de7b50000 | 0x4de7b50000 | 0x4de7f4bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000004de7f50000 | 0x4de7f50000 | 0x4de7fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606bbc000 | 0x7ff606bbc000 | 0x7ff606bbdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606bbe000 | 0x7ff606bbe000 | 0x7ff606bbffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff606bc0000 | 0x7ff606bc0000 | 0x7ff606cbffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff606cc0000 | 0x7ff606cc0000 | 0x7ff606ce2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff606ce3000 | 0x7ff606ce3000 | 0x7ff606ce3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606ce4000 | 0x7ff606ce4000 | 0x7ff606ce5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606ce6000 | 0x7ff606ce6000 | 0x7ff606ce7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606ce8000 | 0x7ff606ce8000 | 0x7ff606ce9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606cea000 | 0x7ff606cea000 | 0x7ff606cebfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606cec000 | 0x7ff606cec000 | 0x7ff606cedfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606cee000 | 0x7ff606cee000 | 0x7ff606ceffff | Private Memory | Readable, Writable |
|
|
|
- |
| svchost.exe | 0x7ff606dc0000 | 0x7ff606dcbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x7ff9f8800000 | 0x7ff9f8866fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ff9fb740000 | 0x7ff9fb749fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| firewallapi.dll | 0x7ff9fb7a0000 | 0x7ff9fb855fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrtremote.dll | 0x7ff9fb970000 | 0x7ff9fb981fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcepmap.dll | 0x7ff9fb990000 | 0x7ff9fb9a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcss.dll | 0x7ff9fb9b0000 | 0x7ff9fba6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ff9fbd70000 | 0x7ff9fbda4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x7ff9fc0d0000 | 0x7ff9fc127fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ff9fc130000 | 0x7ff9fc14dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ff9fc360000 | 0x7ff9fc385fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ff9fc640000 | 0x7ff9fc66afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff9fc680000 | 0x7ff9fc6dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ff9fc6e0000 | 0x7ff9fc6e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x7ff9fc820000 | 0x7ff9fc864fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ff9fc940000 | 0x7ff9fca4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ff9fcd80000 | 0x7ff9fceb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ff9fcec0000 | 0x7ff9fcf66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ff9fcfb0000 | 0x7ff9fd185fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ff9fd250000 | 0x7ff9fd2a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ff9fd6d0000 | 0x7ff9fd805fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7ff9fd8c0000 | 0x7ff9fd963fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ff9fd970000 | 0x7ff9fd9c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ff9ff470000 | 0x7ff9ff478fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #23: logonui.exe
0
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\windows\system32\logonui.exe |
| Command Line | "LogonUI.exe" /flags:0x0 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:53, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:40 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x284 |
| Parent PID | 0x194 (c:\windows\system32\winlogon.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
288
0x
2FC
0x
324
0x
328
0x
340
0x
34C
0x
388
0x
394
0x
398
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000008612ed0000 | 0x8612ed0000 | 0x8612eeffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008612ed0000 | 0x8612ed0000 | 0x8612edffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008612ee0000 | 0x8612ee0000 | 0x8612ee6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008612ef0000 | 0x8612ef0000 | 0x8612efefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000008612f00000 | 0x8612f00000 | 0x8612f7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008612f80000 | 0x8612f80000 | 0x8612f83fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000008612f90000 | 0x8612f90000 | 0x8612f92fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000008612fa0000 | 0x8612fa0000 | 0x8612fa1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x8612fb0000 | 0x861302dfff | Memory Mapped File | Readable |
|
|
|
- |
| rpcss.dll | 0x8613030000 | 0x86130e7fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000008613030000 | 0x8613030000 | 0x8613036fff | Private Memory | Readable, Writable |
|
|
|
- |
| imm32.dll | 0x8613040000 | 0x8613073fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000008613040000 | 0x8613040000 | 0x861306ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000008613070000 | 0x8613070000 | 0x8613070fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008613080000 | 0x8613080000 | 0x8613080fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008613090000 | 0x8613090000 | 0x8613090fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000008613090000 | 0x8613090000 | 0x8613093fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000086130a0000 | 0x86130a0000 | 0x86130a6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000086130b0000 | 0x86130b0000 | 0x86130b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000086130c0000 | 0x86130c0000 | 0x86130c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000086130d0000 | 0x86130d0000 | 0x86130d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000086130e0000 | 0x86130e0000 | 0x86130e1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| windowsshell.manifest | 0x86130f0000 | 0x86130f0fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000086130f0000 | 0x86130f0000 | 0x86130f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000008613100000 | 0x8613100000 | 0x8613101fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000008613110000 | 0x8613110000 | 0x8613110fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008613120000 | 0x8613120000 | 0x8613121fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000008613130000 | 0x8613130000 | 0x8613130fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008613140000 | 0x8613140000 | 0x8613141fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000008613150000 | 0x8613150000 | 0x861324ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008613250000 | 0x8613250000 | 0x86133effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008613250000 | 0x8613250000 | 0x86133d7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000086133e0000 | 0x86133e0000 | 0x86133effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000086133f0000 | 0x86133f0000 | 0x8613570fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000008613580000 | 0x8613580000 | 0x861369ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008613580000 | 0x8613580000 | 0x8613670fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| dui70.dll.mui | 0x8613680000 | 0x8613681fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000008613690000 | 0x8613690000 | 0x861369ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000086136a0000 | 0x86136a0000 | 0x861371ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008613720000 | 0x8613720000 | 0x8613b1bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| oleaut32.dll | 0x8613b20000 | 0x8613bd5fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000008613b20000 | 0x8613b20000 | 0x8613b9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008613ba0000 | 0x8613ba0000 | 0x8613c1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008613c20000 | 0x8613c20000 | 0x8613c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000008613ca0000 | 0x8613ca0000 | 0x8613ca1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| oleaccrc.dll | 0x8613cb0000 | 0x8613cb0fff | Memory Mapped File | Readable |
|
|
|
- |
| sortdefault.nls | 0x8613cc0000 | 0x8613f94fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000008613fa0000 | 0x8613fa0000 | 0x861409ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000086140a0000 | 0x86140a0000 | 0x861419ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000086141a0000 | 0x86141a0000 | 0x86141a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000086141b0000 | 0x86141b0000 | 0x86141b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000086141c0000 | 0x86141c0000 | 0x86141c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000086141d0000 | 0x86141d0000 | 0x861424ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008614250000 | 0x8614250000 | 0x8614250fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008614260000 | 0x8614260000 | 0x8614260fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008614270000 | 0x8614270000 | 0x8614270fff | Private Memory | Readable, Writable |
|
|
|
- |
| basebrd.dll | 0x8614280000 | 0x8614374fff | Memory Mapped File | Readable |
|
|
|
- |
| imageres.dll | 0x8614280000 | 0x8617115fff | Memory Mapped File | Readable |
|
|
|
- |
| basebrd.dll.mui | 0x8614380000 | 0x8614380fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000008614390000 | 0x8614390000 | 0x86143a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000008617120000 | 0x8617120000 | 0x861719ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000086171a0000 | 0x86171a0000 | 0x861729ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000086172a0000 | 0x86172a0000 | 0x861731ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6b20ca000 | 0x7ff6b20ca000 | 0x7ff6b20cbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6b20cc000 | 0x7ff6b20cc000 | 0x7ff6b20cdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6b20ce000 | 0x7ff6b20ce000 | 0x7ff6b20cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff6b20d0000 | 0x7ff6b20d0000 | 0x7ff6b21cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff6b21d0000 | 0x7ff6b21d0000 | 0x7ff6b21f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff6b21f4000 | 0x7ff6b21f4000 | 0x7ff6b21f5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6b21f6000 | 0x7ff6b21f6000 | 0x7ff6b21f6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6b21f8000 | 0x7ff6b21f8000 | 0x7ff6b21f9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6b21fa000 | 0x7ff6b21fa000 | 0x7ff6b21fbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6b21fc000 | 0x7ff6b21fc000 | 0x7ff6b21fdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6b21fe000 | 0x7ff6b21fe000 | 0x7ff6b21fffff | Private Memory | Readable, Writable |
|
|
|
- |
| logonui.exe | 0x7ff6b2de0000 | 0x7ff6b2de7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| networkstatus.dll | 0x7ff9f8af0000 | 0x7ff9f8b0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wtsapi32.dll | 0x7ff9f8c60000 | 0x7ff9f8c70fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x7ff9f8e90000 | 0x7ff9f8ff4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x7ff9f9020000 | 0x7ff9f90ccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wlidcredprov.dll | 0x7ff9f90d0000 | 0x7ff9f911bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| authext.dll | 0x7ff9f9130000 | 0x7ff9f913cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasman.dll | 0x7ff9f9140000 | 0x7ff9f916dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasplap.dll | 0x7ff9f9170000 | 0x7ff9f91dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| certcredprovider.dll | 0x7ff9f91e0000 | 0x7ff9f9236fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleacc.dll | 0x7ff9f9240000 | 0x7ff9f92a2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winbio.dll | 0x7ff9f92b0000 | 0x7ff9f92ccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| biocredprov.dll | 0x7ff9f92d0000 | 0x7ff9f9323fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwrite.dll | 0x7ff9f9370000 | 0x7ff9f954efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cngcredui.dll | 0x7ff9f9550000 | 0x7ff9f956cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| smartcardcredentialprovider.dll | 0x7ff9f9680000 | 0x7ff9f97d0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcp47langs.dll | 0x7ff9f9810000 | 0x7ff9f986dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rtutils.dll | 0x7ff9f9d00000 | 0x7ff9f9d11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winbrand.dll | 0x7ff9f9d30000 | 0x7ff9f9d3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uianimation.dll | 0x7ff9f9d40000 | 0x7ff9f9d8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sppc.dll | 0x7ff9f9d90000 | 0x7ff9f9db1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| slc.dll | 0x7ff9f9df0000 | 0x7ff9f9e1afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mmdevapi.dll | 0x7ff9f9e20000 | 0x7ff9f9e81fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sndvolsso.dll | 0x7ff9f9e90000 | 0x7ff9f9ecdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d3d10warp.dll | 0x7ff9fa130000 | 0x7ff9fa37cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| duser.dll | 0x7ff9fa3a0000 | 0x7ff9fa440fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dxgi.dll | 0x7ff9fa4c0000 | 0x7ff9fa53efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d3d11.dll | 0x7ff9fa550000 | 0x7ff9fa757fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7ff9fa760000 | 0x7ff9fa9b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x7ff9fad00000 | 0x7ff9fad1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dui70.dll | 0x7ff9fad20000 | 0x7ff9faec9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x7ff9faed0000 | 0x7ff9faf6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dcomp.dll | 0x7ff9faf70000 | 0x7ff9fafc9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| authui.dll | 0x7ff9fafd0000 | 0x7ff9fb257fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apphelp.dll | 0x7ff9fb4a0000 | 0x7ff9fb527fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ff9fb5c0000 | 0x7ff9fb6e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7ff9fb6f0000 | 0x7ff9fb715fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ff9fb740000 | 0x7ff9fb749fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| hid.dll | 0x7ff9fbaa0000 | 0x7ff9fbaacfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ff9fc130000 | 0x7ff9fc14dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff9fc680000 | 0x7ff9fc6dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ff9fc6e0000 | 0x7ff9fc6e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x7ff9fc790000 | 0x7ff9fc7e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x7ff9fc820000 | 0x7ff9fc864fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ff9fc940000 | 0x7ff9fca4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ff9fca50000 | 0x7ff9fca99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ff9fcd80000 | 0x7ff9fceb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ff9fcec0000 | 0x7ff9fcf66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ff9fcf70000 | 0x7ff9fcfa3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ff9fcfb0000 | 0x7ff9fd185fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ff9fd190000 | 0x7ff9fd246fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ff9fd250000 | 0x7ff9fd2a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ff9fd2b0000 | 0x7ff9fd354fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ff9fd360000 | 0x7ff9fd4d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ff9fd6d0000 | 0x7ff9fd805fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7ff9fd8c0000 | 0x7ff9fd963fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ff9fd970000 | 0x7ff9fd9c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ff9fdb80000 | 0x7ff9fdcc4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ff9fdd30000 | 0x7ff9fde68fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ff9fde70000 | 0x7ff9fdfe0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ff9fe050000 | 0x7ff9ff466fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ff9ff470000 | 0x7ff9ff478fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ff9ff4a0000 | 0x7ff9ff4f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #24: dwm.exe
0
0
| Information | Value |
|---|---|
| ID | #24 |
| File Name | c:\windows\system32\dwm.exe |
| Command Line | "dwm.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:53, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:40 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x298 |
| Parent PID | 0x194 (c:\windows\system32\winlogon.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | Window Manager\DWM-1 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
29C
0x
2BC
0x
2C0
0x
2C4
0x
2C8
0x
2CC
0x
2F4
0x
2F8
0x
30C
0x
344
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000a74dbf0000 | 0xa74dbf0000 | 0xa74dc0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000a74dbf0000 | 0xa74dbf0000 | 0xa74dbfffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a74dc00000 | 0xa74dc00000 | 0xa74dc06fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000a74dc10000 | 0xa74dc10000 | 0xa74dc1efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000a74dc20000 | 0xa74dc20000 | 0xa74dc9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000a74dca0000 | 0xa74dca0000 | 0xa74dca3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a74dcb0000 | 0xa74dcb0000 | 0xa74dcb2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000a74dcc0000 | 0xa74dcc0000 | 0xa74dcc1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xa74dcd0000 | 0xa74dd4dfff | Memory Mapped File | Readable |
|
|
|
- |
| sysmain.sdb | 0xa74dd50000 | 0xa74ddb9fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000a74dd50000 | 0xa74dd50000 | 0xa74de3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a74dd50000 | 0xa74dd50000 | 0xa74dd56fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000a74dd60000 | 0xa74dd60000 | 0xa74dd62fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a74dd70000 | 0xa74dd70000 | 0xa74dd70fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a74dd80000 | 0xa74dd80000 | 0xa74dd80fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a74dd90000 | 0xa74dd90000 | 0xa74dd90fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a74dda0000 | 0xa74dda0000 | 0xa74dda0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a74ddb0000 | 0xa74ddb0000 | 0xa74de2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000a74ddb0000 | 0xa74ddb0000 | 0xa74ddb0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a74ddb0000 | 0xa74ddb0000 | 0xa74ddb3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000a74ddc0000 | 0xa74ddc0000 | 0xa74ddc6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000a74ddd0000 | 0xa74ddd0000 | 0xa74ddd0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a74dde0000 | 0xa74dde0000 | 0xa74dde0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a74ddf0000 | 0xa74ddf0000 | 0xa74ddf0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000a74de00000 | 0xa74de00000 | 0xa74de00fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a74de10000 | 0xa74de10000 | 0xa74de10fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a74de20000 | 0xa74de20000 | 0xa74de2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a74de30000 | 0xa74de30000 | 0xa74de3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a74de40000 | 0xa74de40000 | 0xa74de40fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000a74de50000 | 0xa74de50000 | 0xa74de50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000a74de60000 | 0xa74de60000 | 0xa74df5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000a74df60000 | 0xa74df60000 | 0xa74e0e7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a74e0f0000 | 0xa74e0f0000 | 0xa74e270fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a74e280000 | 0xa74e280000 | 0xa74f67ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a74f680000 | 0xa74f680000 | 0xa74fa7bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a74fa80000 | 0xa74fa80000 | 0xa74fb70fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000a74fb80000 | 0xa74fb80000 | 0xa74fbfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a74fc00000 | 0xa74fc00000 | 0xa74fc7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a74fc80000 | 0xa74fc80000 | 0xa74fcfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a74fd00000 | 0xa74fd00000 | 0xa74fd7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0xa74fd80000 | 0xa750054fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000a750060000 | 0xa750060000 | 0xa7500dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a7500e0000 | 0xa7500e0000 | 0xa75015ffff | Private Memory | Readable, Writable |
|
|
|
- |
| aero.msstyles | 0xa750160000 | 0xa750268fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000a750270000 | 0xa750270000 | 0xa7502effff | Private Memory | Readable, Writable |
|
|
|
- |
| rpcss.dll | 0xa7502f0000 | 0xa7503a7fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000a7502f0000 | 0xa7502f0000 | 0xa7502f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a750300000 | 0xa750300000 | 0xa750300fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a750310000 | 0xa750310000 | 0xa750327fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a750330000 | 0xa750330000 | 0xa75035ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a750360000 | 0xa750360000 | 0xa750360fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000a750370000 | 0xa750370000 | 0xa75046ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a750470000 | 0xa750470000 | 0xa75056ffff | Private Memory | Readable, Writable |
|
|
|
- |
| d2d1.dll.mui | 0xa750570000 | 0xa7505a2fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000a7505b0000 | 0xa7505b0000 | 0xa7507affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000a7507b0000 | 0xa7507b0000 | 0xa750ca1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a750cb0000 | 0xa750cb0000 | 0xa7511a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a750cb0000 | 0xa750cb0000 | 0xa750d2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a750d30000 | 0xa750d30000 | 0xa751221fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a7511b0000 | 0xa7511b0000 | 0xa7516a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000a751230000 | 0xa751230000 | 0xa751230fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a751240000 | 0xa751240000 | 0xa751240fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a751250000 | 0xa751250000 | 0xa751250fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a751260000 | 0xa751260000 | 0xa751260fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a751270000 | 0xa751270000 | 0xa751270fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000a7516b0000 | 0xa7516b0000 | 0xa751ba1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a751bb0000 | 0xa751bb0000 | 0xa7520a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7a81d8000 | 0x7ff7a81d8000 | 0x7ff7a81d9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7a81da000 | 0x7ff7a81da000 | 0x7ff7a81dbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7a81dc000 | 0x7ff7a81dc000 | 0x7ff7a81ddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7a81de000 | 0x7ff7a81de000 | 0x7ff7a81dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff7a81e0000 | 0x7ff7a81e0000 | 0x7ff7a82dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff7a82e0000 | 0x7ff7a82e0000 | 0x7ff7a8302fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff7a8304000 | 0x7ff7a8304000 | 0x7ff7a8305fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7a8306000 | 0x7ff7a8306000 | 0x7ff7a8307fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7a8308000 | 0x7ff7a8308000 | 0x7ff7a8309fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7a830a000 | 0x7ff7a830a000 | 0x7ff7a830bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7a830c000 | 0x7ff7a830c000 | 0x7ff7a830dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7a830e000 | 0x7ff7a830e000 | 0x7ff7a830efff | Private Memory | Readable, Writable |
|
|
|
- |
| dwm.exe | 0x7ff7a8340000 | 0x7ff7a8360fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| xmllite.dll | 0x7ff9f9590000 | 0x7ff9f95c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d2d1.dll | 0x7ff9f9870000 | 0x7ff9f9cd6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uianimation.dll | 0x7ff9f9d40000 | 0x7ff9f9d8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| udwm.dll | 0x7ff9f9ed0000 | 0x7ff9f9f95fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d3d10warp.dll | 0x7ff9fa130000 | 0x7ff9fa37cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dxgi.dll | 0x7ff9fa4c0000 | 0x7ff9fa53efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| avrt.dll | 0x7ff9fa540000 | 0x7ff9fa54afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d3d11.dll | 0x7ff9fa550000 | 0x7ff9fa757fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| windowscodecs.dll | 0x7ff9fa9c0000 | 0x7ff9fab52fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dcomp.dll | 0x7ff9faf70000 | 0x7ff9fafc9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmcore.dll | 0x7ff9fb260000 | 0x7ff9fb46efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmredir.dll | 0x7ff9fb470000 | 0x7ff9fb49bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apphelp.dll | 0x7ff9fb4a0000 | 0x7ff9fb527fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7ff9fb5c0000 | 0x7ff9fb6e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ff9fb740000 | 0x7ff9fb749fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff9fc680000 | 0x7ff9fc6dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ff9fc6e0000 | 0x7ff9fc6e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x7ff9fc820000 | 0x7ff9fc864fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ff9fc940000 | 0x7ff9fca4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ff9fcd80000 | 0x7ff9fceb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ff9fcec0000 | 0x7ff9fcf66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7ff9fcf70000 | 0x7ff9fcfa3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ff9fcfb0000 | 0x7ff9fd185fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ff9fd6d0000 | 0x7ff9fd805fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7ff9fd8c0000 | 0x7ff9fd963fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ff9fd970000 | 0x7ff9fd9c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ff9fdb80000 | 0x7ff9fdcc4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7ff9fdd30000 | 0x7ff9fde68fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ff9fde70000 | 0x7ff9fdfe0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #25: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #25 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:57, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:36 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2a8 |
| Parent PID | 0x1d0 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2AC
0x
2B4
0x
2B8
0x
2D0
0x
2D4
0x
300
0x
308
0x
304
0x
310
0x
33C
0x
348
0x
3A0
0x
3A4
0x
3A8
0x
3AC
0x
3B4
0x
3BC
0x
3C0
0x
3D4
0x
3F4
0x
3F8
0x
3FC
0x
D8
0x
DC
0x
F8
0x
120
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| fltmgr.sys | 0x06690000 | 0x066ebfff | Memory Mapped File | Readable |
|
|
|
- |
| ntfs.sys | 0x06690000 | 0x06885fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000e086690000 | 0xe086690000 | 0xe0866affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e086690000 | 0xe086690000 | 0xe08669ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e0866a0000 | 0xe0866a0000 | 0xe0866a6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e0866b0000 | 0xe0866b0000 | 0xe0866befff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e0866c0000 | 0xe0866c0000 | 0xe08673ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e086740000 | 0xe086740000 | 0xe086743fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e086750000 | 0xe086750000 | 0xe086750fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e086760000 | 0xe086760000 | 0xe086761fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xe086770000 | 0xe0867edfff | Memory Mapped File | Readable |
|
|
|
- |
| rpcss.dll | 0xe0867f0000 | 0xe0868a7fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e0867f0000 | 0xe0867f0000 | 0xe0867f6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e086800000 | 0xe086800000 | 0xe0868bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e0868c0000 | 0xe0868c0000 | 0xe0868c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e0868d0000 | 0xe0868d0000 | 0xe0868d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e0868e0000 | 0xe0868e0000 | 0xe0868e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e0868f0000 | 0xe0868f0000 | 0xe0868f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e086900000 | 0xe086900000 | 0xe086906fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e086910000 | 0xe086910000 | 0xe086a0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e086a10000 | 0xe086a10000 | 0xe086b3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e086a10000 | 0xe086a10000 | 0xe086a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e086a90000 | 0xe086a90000 | 0xe086b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pshed.dll | 0xe086a90000 | 0xe086aa4fff | Memory Mapped File | Readable |
|
|
|
- |
| microsoft-windows-kernel-power-events.dll | 0xe086a90000 | 0xe086ab0fff | Memory Mapped File | Readable |
|
|
|
- |
| microsoft-windows-kernel-processor-power-events.dll | 0xe086a90000 | 0xe086aa0fff | Memory Mapped File | Readable |
|
|
|
- |
| profsvc.dll | 0xe086a90000 | 0xe086ac9fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000e086a90000 | 0xe086a90000 | 0xe086a90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e086aa0000 | 0xe086aa0000 | 0xe086aa0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000e086ab0000 | 0xe086ab0000 | 0xe086ab0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e086ac0000 | 0xe086ac0000 | 0xe086ac0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e086ad0000 | 0xe086ad0000 | 0xe086ad0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e086ae0000 | 0xe086ae0000 | 0xe086ae0fff | Private Memory | Readable, Writable |
|
|
|
- |
| tzres.dll | 0xe086b10000 | 0xe086b11fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e086b10000 | 0xe086b10000 | 0xe086b10fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e086b10000 | 0xe086b10000 | 0xe086b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| tzres.dll.mui | 0xe086b20000 | 0xe086b27fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e086b30000 | 0xe086b30000 | 0xe086b3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000e086b40000 | 0xe086b40000 | 0xe086cc7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e086cd0000 | 0xe086cd0000 | 0xe086e50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000e086e60000 | 0xe086e60000 | 0xe08725bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0xe087260000 | 0xe087534fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e087540000 | 0xe087540000 | 0xe087637fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e087540000 | 0xe087540000 | 0xe0875bffff | Private Memory | Readable, Writable |
|
|
|
- |
| wevtapi.dll | 0xe0875c0000 | 0xe087626fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e087630000 | 0xe087630000 | 0xe087637fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e087640000 | 0xe087640000 | 0xe08773ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e087740000 | 0xe087740000 | 0xe0877bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e0877c0000 | 0xe0877c0000 | 0xe08783ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e087840000 | 0xe087840000 | 0xe0878bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e0878c0000 | 0xe0878c0000 | 0xe08793ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e087940000 | 0xe087940000 | 0xe087940fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e087940000 | 0xe087940000 | 0xe08795ffff | Private Memory | Readable, Writable |
|
|
|
- |
| microsoft-windows-system-events.dll | 0xe087960000 | 0xe08799cfff | Memory Mapped File | Readable |
|
|
|
- |
| lsm.dll | 0xe087960000 | 0xe087a13fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e0879a0000 | 0xe0879a0000 | 0xe0879a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e0879a0000 | 0xe0879a0000 | 0xe087a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e087a20000 | 0xe087a20000 | 0xe087a20fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e087a20000 | 0xe087a20000 | 0xe087a3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e087a40000 | 0xe087a40000 | 0xe087abffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e087ac0000 | 0xe087ac0000 | 0xe087ac0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e087ac0000 | 0xe087ac0000 | 0xe087b3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e087b40000 | 0xe087b40000 | 0xe087b40fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e087b40000 | 0xe087b40000 | 0xe087b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| comres.dll | 0xe087b60000 | 0xe087c9dfff | Memory Mapped File | Readable |
|
|
|
- |
| adtschema.dll | 0xe087b60000 | 0xe087c13fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e087b60000 | 0xe087b60000 | 0xe087bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e087be0000 | 0xe087be0000 | 0xe087c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e087ca0000 | 0xe087ca0000 | 0xe087d9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e087da0000 | 0xe087da0000 | 0xe087f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gpsvc.dll | 0xe087fa0000 | 0xe0880e6fff | Memory Mapped File | Readable |
|
|
|
- |
| ole32.dll | 0xe087fa0000 | 0xe088118fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000e087fa0000 | 0xe087fa0000 | 0xe08801ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e088020000 | 0xe088020000 | 0xe08809ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e0880a0000 | 0xe0880a0000 | 0xe08811ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e088120000 | 0xe088120000 | 0xe08819ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e0881a0000 | 0xe0881a0000 | 0xe08821ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e088220000 | 0xe088220000 | 0xe08829ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000e0882a0000 | 0xe0882a0000 | 0xe08831ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6069b6000 | 0x7ff6069b6000 | 0x7ff6069b7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6069b8000 | 0x7ff6069b8000 | 0x7ff6069b9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6069ba000 | 0x7ff6069ba000 | 0x7ff6069bbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6069bc000 | 0x7ff6069bc000 | 0x7ff6069bdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6069be000 | 0x7ff6069be000 | 0x7ff6069bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6069c0000 | 0x7ff6069c0000 | 0x7ff6069c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6069c2000 | 0x7ff6069c2000 | 0x7ff6069c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6069c4000 | 0x7ff6069c4000 | 0x7ff6069c5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6069c6000 | 0x7ff6069c6000 | 0x7ff6069c7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6069c8000 | 0x7ff6069c8000 | 0x7ff6069c9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6069ca000 | 0x7ff6069ca000 | 0x7ff6069cbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6069cc000 | 0x7ff6069cc000 | 0x7ff6069cdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6069ce000 | 0x7ff6069ce000 | 0x7ff6069cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff6069d0000 | 0x7ff6069d0000 | 0x7ff606acffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff606ad0000 | 0x7ff606ad0000 | 0x7ff606af2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff606af3000 | 0x7ff606af3000 | 0x7ff606af4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606af5000 | 0x7ff606af5000 | 0x7ff606af6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606af7000 | 0x7ff606af7000 | 0x7ff606af8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606af9000 | 0x7ff606af9000 | 0x7ff606af9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606afa000 | 0x7ff606afa000 | 0x7ff606afbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606afc000 | 0x7ff606afc000 | 0x7ff606afdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606afe000 | 0x7ff606afe000 | 0x7ff606afffff | Private Memory | Readable, Writable |
|
|
|
- |
| svchost.exe | 0x7ff606dc0000 | 0x7ff606dcbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wmiclnt.dll | 0x7ff9f8730000 | 0x7ff9f873dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wcmcsp.dll | 0x7ff9f8760000 | 0x7ff9f877dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dhcpcore6.dll | 0x7ff9f8780000 | 0x7ff9f87c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x7ff9f8870000 | 0x7ff9f8879fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nrpsrv.dll | 0x7ff9f8880000 | 0x7ff9f8888fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x7ff9f8890000 | 0x7ff9f88b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dhcpcore.dll | 0x7ff9f8910000 | 0x7ff9f896afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wcmsvc.dll | 0x7ff9f8970000 | 0x7ff9f89cdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lmhsvc.dll | 0x7ff9f89e0000 | 0x7ff9f89e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| audiosrv.dll | 0x7ff9f8a10000 | 0x7ff9f8ae2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wtsapi32.dll | 0x7ff9f8c60000 | 0x7ff9f8c70fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ksuser.dll | 0x7ff9f9120000 | 0x7ff9f9127fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nlaapi.dll | 0x7ff9f9ce0000 | 0x7ff9f9cf8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x7ff9f9dc0000 | 0x7ff9f9deffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mmdevapi.dll | 0x7ff9f9e20000 | 0x7ff9f9e81fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| avrt.dll | 0x7ff9fa540000 | 0x7ff9fa54afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wevtsvc.dll | 0x7ff9fab60000 | 0x7ff9facfafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7ff9fb6f0000 | 0x7ff9fb715fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ff9fb740000 | 0x7ff9fb749fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| firewallapi.dll | 0x7ff9fb7a0000 | 0x7ff9fb855fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gpapi.dll | 0x7ff9fba70000 | 0x7ff9fba92fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| hid.dll | 0x7ff9fbaa0000 | 0x7ff9fbaacfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x7ff9fbee0000 | 0x7ff9fbf82fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x7ff9fc0d0000 | 0x7ff9fc127fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kerberos.dll | 0x7ff9fc150000 | 0x7ff9fc23afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptdll.dll | 0x7ff9fc240000 | 0x7ff9fc257fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ff9fc640000 | 0x7ff9fc66afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff9fc680000 | 0x7ff9fc6dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ff9fc6e0000 | 0x7ff9fc6e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x7ff9fc790000 | 0x7ff9fc7e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x7ff9fc820000 | 0x7ff9fc864fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x7ff9fc920000 | 0x7ff9fc931fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ff9fc940000 | 0x7ff9fca4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ff9fca50000 | 0x7ff9fca99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ff9fcd80000 | 0x7ff9fceb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ff9fcec0000 | 0x7ff9fcf66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ff9fcfb0000 | 0x7ff9fd185fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ff9fd190000 | 0x7ff9fd246fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ff9fd250000 | 0x7ff9fd2a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ff9fd360000 | 0x7ff9fd4d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ff9fd6d0000 | 0x7ff9fd805fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7ff9fd8c0000 | 0x7ff9fd963fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ff9fd970000 | 0x7ff9fd9c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ff9fdb80000 | 0x7ff9fdcc4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ff9fde70000 | 0x7ff9fdfe0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ff9ff470000 | 0x7ff9ff478fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
|
For performance reasons, the remaining 7 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #26: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #26 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:33 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2dc |
| Parent PID | 0x1d0 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
2E0
0x
2E4
0x
2E8
0x
2EC
0x
2F0
0x
334
0x
350
0x
354
0x
360
0x
370
0x
37C
0x
FC
0x
100
0x
110
0x
104
0x
10C
0x
108
0x
38
0x
138
0x
204
0x
1DC
0x
3A4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x00000096dda10000 | 0x96dda10000 | 0x96dda2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000096dda10000 | 0x96dda10000 | 0x96dda1ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096dda20000 | 0x96dda20000 | 0x96dda26fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000096dda30000 | 0x96dda30000 | 0x96dda3efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000096dda40000 | 0x96dda40000 | 0x96ddabffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000096ddac0000 | 0x96ddac0000 | 0x96ddac3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000096ddad0000 | 0x96ddad0000 | 0x96ddad0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000096ddae0000 | 0x96ddae0000 | 0x96ddae1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x96ddaf0000 | 0x96ddb6dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000096ddb70000 | 0x96ddb70000 | 0x96ddbcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096ddb70000 | 0x96ddb70000 | 0x96ddb76fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000096ddb80000 | 0x96ddb80000 | 0x96ddb82fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000096ddb90000 | 0x96ddb90000 | 0x96ddb90fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096ddba0000 | 0x96ddba0000 | 0x96ddba0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096ddbb0000 | 0x96ddbb0000 | 0x96ddbb0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096ddbc0000 | 0x96ddbc0000 | 0x96ddbcffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000096ddbd0000 | 0x96ddbd0000 | 0x96ddbd0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000096ddbe0000 | 0x96ddbe0000 | 0x96ddbe0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096ddbf0000 | 0x96ddbf0000 | 0x96ddceffff | Private Memory | Readable, Writable |
|
|
|
- |
| rpcss.dll | 0x96ddcf0000 | 0x96ddda7fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000096ddcf0000 | 0x96ddcf0000 | 0x96dde77fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000096dde80000 | 0x96dde80000 | 0x96de000fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000096de010000 | 0x96de010000 | 0x96de0cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000096de0d0000 | 0x96de0d0000 | 0x96de4cbfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000096de4d0000 | 0x96de4d0000 | 0x96de54ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096de550000 | 0x96de550000 | 0x96de5cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000096de550000 | 0x96de550000 | 0x96de550fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000096de560000 | 0x96de560000 | 0x96de560fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000096de560000 | 0x96de560000 | 0x96de560fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096de560000 | 0x96de560000 | 0x96de566fff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x96de5d0000 | 0x96de8a4fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000096de8b0000 | 0x96de8b0000 | 0x96de92ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096de930000 | 0x96de930000 | 0x96de9affff | Private Memory | Readable, Writable |
|
|
|
- |
| ole32.dll | 0x96de9b0000 | 0x96deb28fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000096de9b0000 | 0x96de9b0000 | 0x96deb7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096de9b0000 | 0x96de9b0000 | 0x96dea2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096dea30000 | 0x96dea30000 | 0x96deaaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096deab0000 | 0x96deab0000 | 0x96deb2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096deb70000 | 0x96deb70000 | 0x96deb7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096deb80000 | 0x96deb80000 | 0x96debfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096dec00000 | 0x96dec00000 | 0x96dec7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096dec80000 | 0x96dec80000 | 0x96decfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096ded00000 | 0x96ded00000 | 0x96ded7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096ded80000 | 0x96ded80000 | 0x96dedfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096dee20000 | 0x96dee20000 | 0x96dee2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096dee30000 | 0x96dee30000 | 0x96def2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096def30000 | 0x96def30000 | 0x96defaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096defb0000 | 0x96defb0000 | 0x96df02ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096df030000 | 0x96df030000 | 0x96df0affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096df0b0000 | 0x96df0b0000 | 0x96df12ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000096df130000 | 0x96df130000 | 0x96df1affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60604c000 | 0x7ff60604c000 | 0x7ff60604dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60604e000 | 0x7ff60604e000 | 0x7ff60604ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606050000 | 0x7ff606050000 | 0x7ff606051fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606052000 | 0x7ff606052000 | 0x7ff606053fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606054000 | 0x7ff606054000 | 0x7ff606055fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606056000 | 0x7ff606056000 | 0x7ff606057fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606058000 | 0x7ff606058000 | 0x7ff606059fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60605a000 | 0x7ff60605a000 | 0x7ff60605bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60605c000 | 0x7ff60605c000 | 0x7ff60605dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60605e000 | 0x7ff60605e000 | 0x7ff60605ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff606060000 | 0x7ff606060000 | 0x7ff60615ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff606160000 | 0x7ff606160000 | 0x7ff606182fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff606184000 | 0x7ff606184000 | 0x7ff606185fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606186000 | 0x7ff606186000 | 0x7ff606187fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606188000 | 0x7ff606188000 | 0x7ff606189fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60618a000 | 0x7ff60618a000 | 0x7ff60618afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60618c000 | 0x7ff60618c000 | 0x7ff60618dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60618e000 | 0x7ff60618e000 | 0x7ff60618ffff | Private Memory | Readable, Writable |
|
|
|
- |
| svchost.exe | 0x7ff606dc0000 | 0x7ff606dcbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| taskcomp.dll | 0x7ff9f82f0000 | 0x7ff9f836bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| proximitycommonpal.dll | 0x7ff9f8370000 | 0x7ff9f8377fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| proximitycommon.dll | 0x7ff9f8380000 | 0x7ff9f83a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| proximityservicepal.dll | 0x7ff9f83b0000 | 0x7ff9f83bdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| proximityservice.dll | 0x7ff9f83c0000 | 0x7ff9f840cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| csystemeventsbrokerclient.dll | 0x7ff9f8410000 | 0x7ff9f8419fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ktmw32.dll | 0x7ff9f8420000 | 0x7ff9f842afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ubpm.dll | 0x7ff9f8430000 | 0x7ff9f8464fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fvecerts.dll | 0x7ff9f8470000 | 0x7ff9f847afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcd.dll | 0x7ff9f8480000 | 0x7ff9f8499fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fveapi.dll | 0x7ff9f84a0000 | 0x7ff9f8553fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| schedsvc.dll | 0x7ff9f8560000 | 0x7ff9f868afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shsvcs.dll | 0x7ff9f8690000 | 0x7ff9f872cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wmiclnt.dll | 0x7ff9f8730000 | 0x7ff9f873dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x7ff9f8870000 | 0x7ff9f8879fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x7ff9f8890000 | 0x7ff9f88b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samlib.dll | 0x7ff9f89f0000 | 0x7ff9f8a0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wtsapi32.dll | 0x7ff9f8c60000 | 0x7ff9f8c70fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| taskschd.dll | 0x7ff9f8c80000 | 0x7ff9f8e1cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mmcss.dll | 0x7ff9f8e20000 | 0x7ff9f8e45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sens.dll | 0x7ff9f9000000 | 0x7ff9f9016fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x7ff9f9330000 | 0x7ff9f9345fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| atl.dll | 0x7ff9f9350000 | 0x7ff9f936afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x7ff9f9570000 | 0x7ff9f9584fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| xmllite.dll | 0x7ff9f9590000 | 0x7ff9f95c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdsapi.dll | 0x7ff9f95d0000 | 0x7ff9f95f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profsvcext.dll | 0x7ff9f97e0000 | 0x7ff9f9803fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nlaapi.dll | 0x7ff9f9ce0000 | 0x7ff9f9cf8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x7ff9f9d20000 | 0x7ff9f9d28fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x7ff9f9dc0000 | 0x7ff9f9deffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profsvc.dll | 0x7ff9f9fa0000 | 0x7ff9f9fd9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gpsvc.dll | 0x7ff9f9fe0000 | 0x7ff9fa126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| themeservice.dll | 0x7ff9fa380000 | 0x7ff9fa390fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wevtapi.dll | 0x7ff9fa450000 | 0x7ff9fa4b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| avrt.dll | 0x7ff9fa540000 | 0x7ff9fa54afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7ff9fb6f0000 | 0x7ff9fb715fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ff9fb740000 | 0x7ff9fb749fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sysntfy.dll | 0x7ff9fb790000 | 0x7ff9fb79afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| firewallapi.dll | 0x7ff9fb7a0000 | 0x7ff9fb855fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gpapi.dll | 0x7ff9fba70000 | 0x7ff9fba92fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| hid.dll | 0x7ff9fbaa0000 | 0x7ff9fbaacfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pcwum.dll | 0x7ff9fbab0000 | 0x7ff9fbabdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x7ff9fbb20000 | 0x7ff9fbb2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| authz.dll | 0x7ff9fbb30000 | 0x7ff9fbb77fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ff9fbd70000 | 0x7ff9fbda4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ff9fbe80000 | 0x7ff9fbe9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x7ff9fbea0000 | 0x7ff9fbedcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x7ff9fc0d0000 | 0x7ff9fc127fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ff9fc130000 | 0x7ff9fc14dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ff9fc360000 | 0x7ff9fc385fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7ff9fc480000 | 0x7ff9fc4a4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| eventaggregation.dll | 0x7ff9fc4b0000 | 0x7ff9fc4bafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dabapi.dll | 0x7ff9fc4c0000 | 0x7ff9fc4c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ff9fc640000 | 0x7ff9fc66afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff9fc680000 | 0x7ff9fc6dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ff9fc6e0000 | 0x7ff9fc6e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x7ff9fc790000 | 0x7ff9fc7e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x7ff9fc820000 | 0x7ff9fc864fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ff9fc870000 | 0x7ff9fc883fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x7ff9fc920000 | 0x7ff9fc931fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ff9fc940000 | 0x7ff9fca4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ff9fca50000 | 0x7ff9fca99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x7ff9fcaf0000 | 0x7ff9fccc6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ff9fcd80000 | 0x7ff9fceb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ff9fcec0000 | 0x7ff9fcf66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ff9fcfb0000 | 0x7ff9fd185fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ff9fd190000 | 0x7ff9fd246fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ff9fd250000 | 0x7ff9fd2a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ff9fd2b0000 | 0x7ff9fd354fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ff9fd6d0000 | 0x7ff9fd805fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7ff9fd8c0000 | 0x7ff9fd963fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ff9fd970000 | 0x7ff9fd9c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ff9fdb80000 | 0x7ff9fdcc4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wldap32.dll | 0x7ff9fdcd0000 | 0x7ff9fdd29fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ff9fde70000 | 0x7ff9fdfe0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7ff9fe050000 | 0x7ff9ff466fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ff9ff470000 | 0x7ff9ff478fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7ff9ff4a0000 | 0x7ff9ff4f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
|
For performance reasons, the remaining 17 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #27: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #27 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalService |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:05, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:28 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x314 |
| Parent PID | 0x1d0 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
318
0x
31C
0x
320
0x
32C
0x
330
0x
338
0x
36C
0x
380
0x
384
0x
3B8
0x
430
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000001dd6a80000 | 0x1dd6a80000 | 0x1dd6a9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000001dd6a80000 | 0x1dd6a80000 | 0x1dd6a8ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000001dd6a90000 | 0x1dd6a90000 | 0x1dd6a96fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000001dd6aa0000 | 0x1dd6aa0000 | 0x1dd6aaefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000001dd6ab0000 | 0x1dd6ab0000 | 0x1dd6b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000001dd6b30000 | 0x1dd6b30000 | 0x1dd6b33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000001dd6b40000 | 0x1dd6b40000 | 0x1dd6b40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000001dd6b50000 | 0x1dd6b50000 | 0x1dd6b51fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000001dd6b60000 | 0x1dd6b60000 | 0x1dd6b66fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000001dd6b70000 | 0x1dd6b70000 | 0x1dd6b72fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000001dd6b80000 | 0x1dd6b80000 | 0x1dd6c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x1dd6c80000 | 0x1dd6cfdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000001dd6d00000 | 0x1dd6d00000 | 0x1dd6eaffff | Private Memory | Readable, Writable |
|
|
|
- |
| rpcss.dll | 0x1dd6d00000 | 0x1dd6db7fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000001dd6d00000 | 0x1dd6d00000 | 0x1dd6e87fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000001dd6e90000 | 0x1dd6e90000 | 0x1dd6e90fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000001dd6ea0000 | 0x1dd6ea0000 | 0x1dd6eaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000001dd6eb0000 | 0x1dd6eb0000 | 0x1dd7030fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000001dd7040000 | 0x1dd7040000 | 0x1dd70fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000001dd7100000 | 0x1dd7100000 | 0x1dd74fbfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000001dd7500000 | 0x1dd7500000 | 0x1dd7500fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000001dd7510000 | 0x1dd7510000 | 0x1dd7510fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000001dd7520000 | 0x1dd7520000 | 0x1dd759ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000001dd75a0000 | 0x1dd75a0000 | 0x1dd761ffff | Private Memory | Readable, Writable |
|
|
|
- |
| upckb.ttf | 0x1dd75a0000 | 0x1dd75affff | Memory Mapped File | Readable |
|
|
|
- |
| kokilai.ttf | 0x1dd75a0000 | 0x1dd75d5fff | Memory Mapped File | Readable |
|
|
|
- |
| utsaah.ttf | 0x1dd75a0000 | 0x1dd75cffff | Memory Mapped File | Readable |
|
|
|
- |
| browau.ttf | 0x1dd75a0000 | 0x1dd75b5fff | Memory Mapped File | Readable |
|
|
|
- |
| upckbi.ttf | 0x1dd75a0000 | 0x1dd75b0fff | Memory Mapped File | Readable |
|
|
|
- |
| cordiaz.ttf | 0x1dd75a0000 | 0x1dd75b5fff | Memory Mapped File | Readable |
|
|
|
- |
| vanib.ttf | 0x1dd75a0000 | 0x1dd75fbfff | Memory Mapped File | Readable |
|
|
|
- |
| gautami.ttf | 0x1dd75a0000 | 0x1dd75dcfff | Memory Mapped File | Readable |
|
|
|
- |
| raavib.ttf | 0x1dd75a0000 | 0x1dd75b6fff | Memory Mapped File | Readable |
|
|
|
- |
| kokilab.ttf | 0x1dd75b0000 | 0x1dd75dbfff | Memory Mapped File | Readable |
|
|
|
- |
| upcfbi.ttf | 0x1dd75c0000 | 0x1dd75d0fff | Memory Mapped File | Readable |
|
|
|
- |
| ntailu.ttf | 0x1dd75c0000 | 0x1dd75d1fff | Memory Mapped File | Readable |
|
|
|
- |
| upcfl.ttf | 0x1dd75c0000 | 0x1dd75cffff | Memory Mapped File | Readable |
|
|
|
- |
| simpo.ttf | 0x1dd75c0000 | 0x1dd75e4fff | Memory Mapped File | Readable |
|
|
|
- |
| simpfxo.ttf | 0x1dd75d0000 | 0x1dd75e8fff | Memory Mapped File | Readable |
|
|
|
- |
| kartika.ttf | 0x1dd75d0000 | 0x1dd75effff | Memory Mapped File | Readable |
|
|
|
- |
| mangal.ttf | 0x1dd75e0000 | 0x1dd7610fff | Memory Mapped File | Readable |
|
|
|
- |
| angsaui.ttf | 0x1dd75e0000 | 0x1dd75f8fff | Memory Mapped File | Readable |
|
|
|
- |
| aparajb.ttf | 0x1dd75e0000 | 0x1dd760ffff | Memory Mapped File | Readable |
|
|
|
- |
| dokchamp.ttf | 0x1dd75e0000 | 0x1dd7604fff | Memory Mapped File | Readable |
|
|
|
- |
| upcjbi.ttf | 0x1dd75e0000 | 0x1dd75f2fff | Memory Mapped File | Readable |
|
|
|
- |
| gisha.ttf | 0x1dd75f0000 | 0x1dd7601fff | Memory Mapped File | Readable |
|
|
|
- |
| upcjl.ttf | 0x1dd7600000 | 0x1dd7611fff | Memory Mapped File | Readable |
|
|
|
- |
| upcib.ttf | 0x1dd7600000 | 0x1dd7611fff | Memory Mapped File | Readable |
|
|
|
- |
| rod.ttf | 0x1dd7600000 | 0x1dd7611fff | Memory Mapped File | Readable |
|
|
|
- |
| mriam.ttf | 0x1dd7610000 | 0x1dd761ffff | Memory Mapped File | Readable |
|
|
|
- |
| sortdefault.nls | 0x1dd7620000 | 0x1dd78f4fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000001dd7900000 | 0x1dd7900000 | 0x1dd797ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000001dd7980000 | 0x1dd7980000 | 0x1dd79fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000001dd7a00000 | 0x1dd7a00000 | 0x1dd7a00fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| ole32.dll | 0x1dd7a10000 | 0x1dd7b88fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000001dd7a10000 | 0x1dd7a10000 | 0x1dd7a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000001dd7a90000 | 0x1dd7a90000 | 0x1dd7b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000001dd7b90000 | 0x1dd7b90000 | 0x1dd7c0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000001dd7c10000 | 0x1dd7c10000 | 0x1dd7c8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ~fontcache-fontface.dat | 0x1dd7c90000 | 0x1dd8c8ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000001dd8c90000 | 0x1dd8c90000 | 0x1dd8d8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| simsunb.ttf | 0x1dd8d90000 | 0x1dd9db4fff | Memory Mapped File | Readable |
|
|
|
- |
| trebucbd.ttf | 0x1dd8d90000 | 0x1dd8dc2fff | Memory Mapped File | Readable |
|
|
|
- |
| utsaahbi.ttf | 0x1dd8d90000 | 0x1dd8dc0fff | Memory Mapped File | Readable |
|
|
|
- |
| gadugib.ttf | 0x1dd8d90000 | 0x1dd8dc3fff | Memory Mapped File | Readable |
|
|
|
- |
| angsab.ttf | 0x1dd8d90000 | 0x1dd8da9fff | Memory Mapped File | Readable |
|
|
|
- |
| majalla.ttf | 0x1dd8d90000 | 0x1dd8dd7fff | Memory Mapped File | Readable |
|
|
|
- |
| seguibl.ttf | 0x1dd8d90000 | 0x1dd8ddefff | Memory Mapped File | Readable |
|
|
|
- |
| segoeuisl.ttf | 0x1dd8db0000 | 0x1dd8e65fff | Memory Mapped File | Readable |
|
|
|
- |
| taile.ttf | 0x1dd8dd0000 | 0x1dd8de0fff | Memory Mapped File | Readable |
|
|
|
- |
| kokila.ttf | 0x1dd8dd0000 | 0x1dd8dfbfff | Memory Mapped File | Readable |
|
|
|
- |
| palabi.ttf | 0x1dd8dd0000 | 0x1dd8e21fff | Memory Mapped File | Readable |
|
|
|
- |
| ariblk.ttf | 0x1dd8de0000 | 0x1dd8e08fff | Memory Mapped File | Readable |
|
|
|
- |
| calibrili.ttf | 0x1dd8de0000 | 0x1dd8eb4fff | Memory Mapped File | Readable |
|
|
|
- |
| malgun.ttf | 0x1dd8df0000 | 0x1dd9716fff | Memory Mapped File | Readable |
|
|
|
- |
| vrindab.ttf | 0x1dd8e00000 | 0x1dd8e38fff | Memory Mapped File | Readable |
|
|
|
- |
| seguisli.ttf | 0x1dd8e10000 | 0x1dd8e72fff | Memory Mapped File | Readable |
|
|
|
- |
| segoeuii.ttf | 0x1dd8e30000 | 0x1dd8ea0fff | Memory Mapped File | Readable |
|
|
|
- |
| tradbdo.ttf | 0x1dd8e40000 | 0x1dd8e82fff | Memory Mapped File | Readable |
|
|
|
- |
| vijaya.ttf | 0x1dd8e70000 | 0x1dd8e95fff | Memory Mapped File | Readable |
|
|
|
- |
| sitkaz.ttc | 0x1dd8e90000 | 0x1dd8f80fff | Memory Mapped File | Readable |
|
|
|
- |
| monbaiti.ttf | 0x1dd8ea0000 | 0x1dd8ee5fff | Memory Mapped File | Readable |
|
|
|
- |
| calibrib.ttf | 0x1dd8eb0000 | 0x1dd8f7ffff | Memory Mapped File | Readable |
|
|
|
- |
| cambriaz.ttf | 0x1dd8ec0000 | 0x1dd8f85fff | Memory Mapped File | Readable |
|
|
|
- |
| sitka.ttc | 0x1dd8ef0000 | 0x1dd8fd5fff | Memory Mapped File | Readable |
|
|
|
- |
| iskpota.ttf | 0x1dd8f80000 | 0x1dd9003fff | Memory Mapped File | Readable |
|
|
|
- |
| nirmalas.ttf | 0x1dd8f90000 | 0x1dd90eafff | Memory Mapped File | Readable |
|
|
|
- |
| georgiaz.ttf | 0x1dd8f90000 | 0x1dd8fc4fff | Memory Mapped File | Readable |
|
|
|
- |
| verdana.ttf | 0x1dd8fd0000 | 0x1dd900afff | Memory Mapped File | Readable |
|
|
|
- |
| nirmala.ttf | 0x1dd9010000 | 0x1dd9161fff | Memory Mapped File | Readable |
|
|
|
- |
| symbol.ttf | 0x1dd9010000 | 0x1dd9021fff | Memory Mapped File | Readable |
|
|
|
- |
| euphemia.ttf | 0x1dd9030000 | 0x1dd905afff | Memory Mapped File | Readable |
|
|
|
- |
| corbelz.ttf | 0x1dd9060000 | 0x1dd90a4fff | Memory Mapped File | Readable |
|
|
|
- |
| corbelb.ttf | 0x1dd90b0000 | 0x1dd90f2fff | Memory Mapped File | Readable |
|
|
|
- |
| leelauib.ttf | 0x1dd90f0000 | 0x1dd9140fff | Memory Mapped File | Readable |
|
|
|
- |
| shrutib.ttf | 0x1dd9100000 | 0x1dd9135fff | Memory Mapped File | Readable |
|
|
|
- |
| consola.ttf | 0x1dd9140000 | 0x1dd9197fff | Memory Mapped File | Readable |
|
|
|
- |
| msyh.ttc | 0x1dd9170000 | 0x1dda611fff | Memory Mapped File | Readable |
|
|
|
- |
| segoeuiz.ttf | 0x1dd91a0000 | 0x1dd9213fff | Memory Mapped File | Readable |
|
|
|
- |
| seguisbi.ttf | 0x1dd9220000 | 0x1dd9280fff | Memory Mapped File | Readable |
|
|
|
- |
| cambria.ttc | 0x1dd9290000 | 0x1dd942cfff | Memory Mapped File | Readable |
|
|
|
- |
| msjhl.ttc | 0x1dd9720000 | 0x1dda1b7fff | Memory Mapped File | Readable |
|
|
|
- |
| shonar.ttf | 0x1dd9dc0000 | 0x1dd9e10fff | Memory Mapped File | Readable |
|
|
|
- |
| browauz.ttf | 0x1dd9e20000 | 0x1dd9e34fff | Memory Mapped File | Readable |
|
|
|
- |
| majallab.ttf | 0x1dd9e40000 | 0x1dd9e87fff | Memory Mapped File | Readable |
|
|
|
- |
| upclbi.ttf | 0x1dd9e90000 | 0x1dd9e9dfff | Memory Mapped File | Readable |
|
|
|
- |
| palab.ttf | 0x1dd9ea0000 | 0x1dd9f05fff | Memory Mapped File | Readable |
|
|
|
- |
| moolbor.ttf | 0x1dd9f10000 | 0x1dd9f63fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000001dd9f70000 | 0x1dd9f70000 | 0x1dd9feffff | Private Memory | Readable, Writable |
|
|
|
- |
| cordia.ttf | 0x1dd9f70000 | 0x1dd9f89fff | Memory Mapped File | Readable |
|
|
|
- |
| framdit.ttf | 0x1dd9ff0000 | 0x1dda015fff | Memory Mapped File | Readable |
|
|
|
- |
| ariali.ttf | 0x1dda020000 | 0x1dda0bafff | Memory Mapped File | Readable |
|
|
|
- |
| comicbd.ttf | 0x1dda1c0000 | 0x1dda1f6fff | Memory Mapped File | Readable |
|
|
|
- |
| seguisym.ttf | 0x1dda200000 | 0x1dda3b2fff | Memory Mapped File | Readable |
|
|
|
- |
| batang.ttc | 0x1dda620000 | 0x1ddb5a2fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00007ff60642a000 | 0x7ff60642a000 | 0x7ff60642bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60642c000 | 0x7ff60642c000 | 0x7ff60642dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60642e000 | 0x7ff60642e000 | 0x7ff60642ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff606430000 | 0x7ff606430000 | 0x7ff60652ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff606530000 | 0x7ff606530000 | 0x7ff606552fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff606554000 | 0x7ff606554000 | 0x7ff606555fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606556000 | 0x7ff606556000 | 0x7ff606557fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606558000 | 0x7ff606558000 | 0x7ff606559fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60655a000 | 0x7ff60655a000 | 0x7ff60655bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60655c000 | 0x7ff60655c000 | 0x7ff60655dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60655e000 | 0x7ff60655e000 | 0x7ff60655efff | Private Memory | Readable, Writable |
|
|
|
- |
| svchost.exe | 0x7ff606dc0000 | 0x7ff606dcbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsisvc.dll | 0x7ff9f89d0000 | 0x7ff9f89dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fntcache.dll | 0x7ff9f8b10000 | 0x7ff9f8c5cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| es.dll | 0x7ff9f9600000 | 0x7ff9f9677fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ff9fb740000 | 0x7ff9fb749fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ff9fbd70000 | 0x7ff9fbda4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ff9fc130000 | 0x7ff9fc14dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ff9fc360000 | 0x7ff9fc385fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff9fc680000 | 0x7ff9fc6dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ff9fc6e0000 | 0x7ff9fc6e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ff9fc940000 | 0x7ff9fca4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ff9fcd80000 | 0x7ff9fceb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ff9fcec0000 | 0x7ff9fcf66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ff9fcfb0000 | 0x7ff9fd185fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ff9fd190000 | 0x7ff9fd246fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ff9fd2b0000 | 0x7ff9fd354fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ff9fd6d0000 | 0x7ff9fd805fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7ff9fd8c0000 | 0x7ff9fd963fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ff9fd970000 | 0x7ff9fd9c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ff9fdb80000 | 0x7ff9fdcc4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ff9fde70000 | 0x7ff9fdfe0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ff9ff470000 | 0x7ff9ff478fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
|
For performance reasons, the remaining 10 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #28: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #28 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:18 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x358 |
| Parent PID | 0x1d0 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
35C
0x
364
0x
368
0x
374
0x
378
0x
390
0x
39C
0x
41C
0x
428
0x
42C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000b7d1b70000 | 0xb7d1b70000 | 0xb7d1b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000b7d1b70000 | 0xb7d1b70000 | 0xb7d1b7ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000b7d1b80000 | 0xb7d1b80000 | 0xb7d1b86fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000b7d1b90000 | 0xb7d1b90000 | 0xb7d1b9efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000b7d1ba0000 | 0xb7d1ba0000 | 0xb7d1c1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000b7d1c20000 | 0xb7d1c20000 | 0xb7d1c23fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000b7d1c30000 | 0xb7d1c30000 | 0xb7d1c30fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000b7d1c40000 | 0xb7d1c40000 | 0xb7d1c41fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000b7d1c50000 | 0xb7d1c50000 | 0xb7d1d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xb7d1d50000 | 0xb7d1dcdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000b7d1dd0000 | 0xb7d1dd0000 | 0xb7d1e6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000b7d1dd0000 | 0xb7d1dd0000 | 0xb7d1dd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000b7d1de0000 | 0xb7d1de0000 | 0xb7d1de2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000b7d1df0000 | 0xb7d1df0000 | 0xb7d1df0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000b7d1e00000 | 0xb7d1e00000 | 0xb7d1e00fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000b7d1e10000 | 0xb7d1e10000 | 0xb7d1e10fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000b7d1e20000 | 0xb7d1e20000 | 0xb7d1e20fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000b7d1e30000 | 0xb7d1e30000 | 0xb7d1e30fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000b7d1e40000 | 0xb7d1e40000 | 0xb7d1e40fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000b7d1e50000 | 0xb7d1e50000 | 0xb7d1e50fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000b7d1e60000 | 0xb7d1e60000 | 0xb7d1e6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| rpcss.dll | 0xb7d1e70000 | 0xb7d1f27fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000b7d1e70000 | 0xb7d1e70000 | 0xb7d1ff7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000b7d2000000 | 0xb7d2000000 | 0xb7d2180fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000b7d2190000 | 0xb7d2190000 | 0xb7d224ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000b7d2250000 | 0xb7d2250000 | 0xb7d264bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000b7d2650000 | 0xb7d2650000 | 0xb7d26cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000b7d26d0000 | 0xb7d26d0000 | 0xb7d274ffff | Private Memory | Readable, Writable |
|
|
|
- |
| mmdevapi.dll.mui | 0xb7d26d0000 | 0xb7d26d0fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000b7d26e0000 | 0xb7d26e0000 | 0xb7d26e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0xb7d2750000 | 0xb7d2a24fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000b7d2a30000 | 0xb7d2a30000 | 0xb7d2aaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000b7d2ab0000 | 0xb7d2ab0000 | 0xb7d2b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000b7d2b30000 | 0xb7d2b30000 | 0xb7d2baffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000b7d2bb0000 | 0xb7d2bb0000 | 0xb7d2c2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000b7d2c30000 | 0xb7d2c30000 | 0xb7d2caffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000b7d2cb0000 | 0xb7d2cb0000 | 0xb7d2d2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6062dc000 | 0x7ff6062dc000 | 0x7ff6062ddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6062de000 | 0x7ff6062de000 | 0x7ff6062dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff6062e0000 | 0x7ff6062e0000 | 0x7ff6063dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff6063e0000 | 0x7ff6063e0000 | 0x7ff606402fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff606403000 | 0x7ff606403000 | 0x7ff606403fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606404000 | 0x7ff606404000 | 0x7ff606405fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606406000 | 0x7ff606406000 | 0x7ff606407fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606408000 | 0x7ff606408000 | 0x7ff606409fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60640a000 | 0x7ff60640a000 | 0x7ff60640bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60640c000 | 0x7ff60640c000 | 0x7ff60640dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60640e000 | 0x7ff60640e000 | 0x7ff60640ffff | Private Memory | Readable, Writable |
|
|
|
- |
| svchost.exe | 0x7ff606dc0000 | 0x7ff606dcbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| aepic.dll | 0x7ff9f7e50000 | 0x7ff9f7e6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pcasvc.dll | 0x7ff9f7f60000 | 0x7ff9f7fd5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wtsapi32.dll | 0x7ff9f8c60000 | 0x7ff9f8c70fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| audioendpointbuilder.dll | 0x7ff9f8e50000 | 0x7ff9f8e86fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mmdevapi.dll | 0x7ff9f9e20000 | 0x7ff9f9e81fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7ff9fb6f0000 | 0x7ff9fb715fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ff9fb740000 | 0x7ff9fb749fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ff9fc360000 | 0x7ff9fc385fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff9fc680000 | 0x7ff9fc6dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ff9fc6e0000 | 0x7ff9fc6e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x7ff9fc790000 | 0x7ff9fc7e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x7ff9fc820000 | 0x7ff9fc864fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ff9fc940000 | 0x7ff9fca4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ff9fca50000 | 0x7ff9fca99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ff9fcd80000 | 0x7ff9fceb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ff9fcec0000 | 0x7ff9fcf66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ff9fcfb0000 | 0x7ff9fd185fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ff9fd2b0000 | 0x7ff9fd354fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ff9fd6d0000 | 0x7ff9fd805fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7ff9fd8c0000 | 0x7ff9fd963fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ff9fd970000 | 0x7ff9fd9c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ff9fdb80000 | 0x7ff9fdcc4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ff9fde70000 | 0x7ff9fdfe0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #29: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #29 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k NetworkService |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:15 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3c4 |
| Parent PID | 0x1d0 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3C8
0x
3CC
0x
3D0
0x
3D8
0x
3DC
0x
3E0
0x
3E4
0x
3E8
0x
3EC
0x
3F0
0x
114
0x
3BC
0x
120
0x
258
0x
408
0x
40C
0x
418
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000f1797b0000 | 0xf1797b0000 | 0xf1797cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000f1797b0000 | 0xf1797b0000 | 0xf1797bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f1797c0000 | 0xf1797c0000 | 0xf1797c6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000f1797d0000 | 0xf1797d0000 | 0xf1797defff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000f1797e0000 | 0xf1797e0000 | 0xf17985ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000f179860000 | 0xf179860000 | 0xf179863fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000f179870000 | 0xf179870000 | 0xf179870fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000f179880000 | 0xf179880000 | 0xf179881fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f179890000 | 0xf179890000 | 0xf179896fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000f1798a0000 | 0xf1798a0000 | 0xf1798a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000f1798b0000 | 0xf1798b0000 | 0xf1798b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f1798c0000 | 0xf1798c0000 | 0xf1799bffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xf1799c0000 | 0xf179a3dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000f179a40000 | 0xf179a40000 | 0xf179c3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| rpcss.dll | 0xf179a40000 | 0xf179af7fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000f179a40000 | 0xf179a40000 | 0xf179bc7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000f179bd0000 | 0xf179bd0000 | 0xf179bd0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f179be0000 | 0xf179be0000 | 0xf179be0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f179bf0000 | 0xf179bf0000 | 0xf179bf0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000f179bf0000 | 0xf179bf0000 | 0xf179bf0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000f179c00000 | 0xf179c00000 | 0xf179c00fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000f179c30000 | 0xf179c30000 | 0xf179c3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000f179c40000 | 0xf179c40000 | 0xf179dc0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000f179dd0000 | 0xf179dd0000 | 0xf179e8ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000f179e90000 | 0xf179e90000 | 0xf17a28bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000f17a290000 | 0xf17a290000 | 0xf17a30ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f17a310000 | 0xf17a310000 | 0xf17a38ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0xf17a390000 | 0xf17a664fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000f17a670000 | 0xf17a670000 | 0xf17a6effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f17a6f0000 | 0xf17a6f0000 | 0xf17a76ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f17a770000 | 0xf17a770000 | 0xf17a7effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f17a7f0000 | 0xf17a7f0000 | 0xf17a86ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f17a870000 | 0xf17a870000 | 0xf17a8effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f17a8f0000 | 0xf17a8f0000 | 0xf17aa1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f17a8f0000 | 0xf17a8f0000 | 0xf17a96ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f17a970000 | 0xf17a970000 | 0xf17a9effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f17aa10000 | 0xf17aa10000 | 0xf17aa1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f17aa20000 | 0xf17aa20000 | 0xf17aa9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f17aaa0000 | 0xf17aaa0000 | 0xf17ab9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f17aba0000 | 0xf17aba0000 | 0xf17ac1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000f17ac20000 | 0xf17ac20000 | 0xf17ac9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ole32.dll | 0xf17aca0000 | 0xf17ae18fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000f17aca0000 | 0xf17aca0000 | 0xf17ad1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60632e000 | 0x7ff60632e000 | 0x7ff60632ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606330000 | 0x7ff606330000 | 0x7ff606331fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606332000 | 0x7ff606332000 | 0x7ff606333fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606334000 | 0x7ff606334000 | 0x7ff606335fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606336000 | 0x7ff606336000 | 0x7ff606337fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606338000 | 0x7ff606338000 | 0x7ff606339fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60633a000 | 0x7ff60633a000 | 0x7ff60633bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60633c000 | 0x7ff60633c000 | 0x7ff60633dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60633e000 | 0x7ff60633e000 | 0x7ff60633ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff606340000 | 0x7ff606340000 | 0x7ff60643ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff606440000 | 0x7ff606440000 | 0x7ff606462fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff606464000 | 0x7ff606464000 | 0x7ff606465fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606466000 | 0x7ff606466000 | 0x7ff606467fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606468000 | 0x7ff606468000 | 0x7ff606469fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60646a000 | 0x7ff60646a000 | 0x7ff60646afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60646c000 | 0x7ff60646c000 | 0x7ff60646dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60646e000 | 0x7ff60646e000 | 0x7ff60646ffff | Private Memory | Readable, Writable |
|
|
|
- |
| svchost.exe | 0x7ff606dc0000 | 0x7ff606dcbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nlasvc.dll | 0x7ff9f8030000 | 0x7ff9f8091fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsvc.dll | 0x7ff9f80a0000 | 0x7ff9f80c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkssvc.dll | 0x7ff9f80f0000 | 0x7ff9f8137fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dhcpcsvc.dll | 0x7ff9f8740000 | 0x7ff9f8758fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ff9f87d0000 | 0x7ff9f87e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsext.dll | 0x7ff9f87f0000 | 0x7ff9f87f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x7ff9f8800000 | 0x7ff9f8866fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x7ff9f8870000 | 0x7ff9f8879fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x7ff9f8890000 | 0x7ff9f88b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsrslvr.dll | 0x7ff9f88c0000 | 0x7ff9f8901fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| taskschd.dll | 0x7ff9f8c80000 | 0x7ff9f8e1cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wevtapi.dll | 0x7ff9fa450000 | 0x7ff9fa4b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ff9fb740000 | 0x7ff9fb749fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gpapi.dll | 0x7ff9fba70000 | 0x7ff9fba92fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x7ff9fbb20000 | 0x7ff9fbb2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7ff9fbe80000 | 0x7ff9fbe9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x7ff9fbee0000 | 0x7ff9fbf82fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x7ff9fc0d0000 | 0x7ff9fc127fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netjoin.dll | 0x7ff9fc290000 | 0x7ff9fc2dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ff9fc360000 | 0x7ff9fc385fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ff9fc640000 | 0x7ff9fc66afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff9fc680000 | 0x7ff9fc6dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ff9fc6e0000 | 0x7ff9fc6e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ff9fc870000 | 0x7ff9fc883fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x7ff9fc920000 | 0x7ff9fc931fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ff9fc940000 | 0x7ff9fca4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ff9fca50000 | 0x7ff9fca99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x7ff9fcaf0000 | 0x7ff9fccc6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ff9fcd80000 | 0x7ff9fceb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ff9fcec0000 | 0x7ff9fcf66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ff9fcfb0000 | 0x7ff9fd185fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ff9fd190000 | 0x7ff9fd246fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ff9fd250000 | 0x7ff9fd2a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ff9fd2b0000 | 0x7ff9fd354fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ff9fd6d0000 | 0x7ff9fd805fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7ff9fd8c0000 | 0x7ff9fd963fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ff9fd970000 | 0x7ff9fd9c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ff9fdb80000 | 0x7ff9fdcc4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ff9fde70000 | 0x7ff9fdfe0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ff9ff470000 | 0x7ff9ff478fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #30: spoolsv.exe
0
0
| Information | Value |
|---|---|
| ID | #30 |
| File Name | c:\windows\system32\spoolsv.exe |
| Command Line | C:\Windows\System32\spoolsv.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:27, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:06 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x128 |
| Parent PID | 0x1d0 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
134
0x
174
0x
16C
0x
200
0x
21C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000730000 | 0x00730000 | 0x0074ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x0073ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x00746fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x0075efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0079ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x007b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x007d0000 | 0x0084dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x0090ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00912fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00920fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00930fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x00940fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00956fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x00a5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x00be7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000bf0000 | 0x00bf0000 | 0x00d70fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x0117bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001180000 | 0x01180000 | 0x012affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001180000 | 0x01180000 | 0x011bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000011c0000 | 0x011c0000 | 0x011fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x01200fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001210000 | 0x01210000 | 0x01210fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001210000 | 0x01210000 | 0x0124ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012a0000 | 0x012a0000 | 0x012affff | Private Memory | Readable, Writable |
|
|
|
- |
| rpcss.dll | 0x012b0000 | 0x01367fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000012b0000 | 0x012b0000 | 0x0138ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff69eff0000 | 0x7ff69eff0000 | 0x7ff69f0effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff69f0f0000 | 0x7ff69f0f0000 | 0x7ff69f112fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff69f117000 | 0x7ff69f117000 | 0x7ff69f118fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff69f119000 | 0x7ff69f119000 | 0x7ff69f119fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff69f11a000 | 0x7ff69f11a000 | 0x7ff69f11bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff69f11c000 | 0x7ff69f11c000 | 0x7ff69f11dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff69f11e000 | 0x7ff69f11e000 | 0x7ff69f11ffff | Private Memory | Readable, Writable |
|
|
|
- |
| spoolsv.exe | 0x7ff69ff30000 | 0x7ff69fff5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ff9fb740000 | 0x7ff9fb749fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x7ff9fbee0000 | 0x7ff9fbf82fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x7ff9fc0d0000 | 0x7ff9fc127fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ff9fc640000 | 0x7ff9fc66afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff9fc680000 | 0x7ff9fc6dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ff9fc6e0000 | 0x7ff9fc6e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x7ff9fc820000 | 0x7ff9fc864fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ff9fc940000 | 0x7ff9fca4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ff9fcd80000 | 0x7ff9fceb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ff9fcec0000 | 0x7ff9fcf66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ff9fcfb0000 | 0x7ff9fd185fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ff9fd250000 | 0x7ff9fd2a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ff9fd6d0000 | 0x7ff9fd805fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ff9fd970000 | 0x7ff9fd9c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ff9fdb80000 | 0x7ff9fdcc4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ff9fde70000 | 0x7ff9fdfe0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ff9ff470000 | 0x7ff9ff478fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #31: taskhost.exe
0
0
| Information | Value |
|---|---|
| ID | #31 |
| File Name | c:\windows\system32\taskhost.exe |
| Command Line | taskhost.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:27, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:06 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x168 |
| Parent PID | 0x2dc (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
1C8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000ddfa110000 | 0xddfa110000 | 0xddfa12ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000ddfa110000 | 0xddfa110000 | 0xddfa11ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000ddfa130000 | 0xddfa130000 | 0xddfa13efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000ddfa140000 | 0xddfa140000 | 0xddfa1bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000ddfa1c0000 | 0xddfa1c0000 | 0xddfa1c3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000ddfa1d0000 | 0xddfa1d0000 | 0xddfa1d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000ddfa1e0000 | 0xddfa1e0000 | 0xddfa1e1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000ddfa300000 | 0xddfa300000 | 0xddfa3fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff6801c0000 | 0x7ff6801c0000 | 0x7ff6802bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff6802c0000 | 0x7ff6802c0000 | 0x7ff6802e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff6802ed000 | 0x7ff6802ed000 | 0x7ff6802eefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff6802ef000 | 0x7ff6802ef000 | 0x7ff6802effff | Private Memory | Readable, Writable |
|
|
|
- |
| taskhost.exe | 0x7ff6808f0000 | 0x7ff680904fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ff9fc940000 | 0x7ff9fca4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ff9fcd80000 | 0x7ff9fceb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #32: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #32 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:28, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:05 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x220 |
| Parent PID | 0x1d0 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
228
0x
238
0x
258
0x
25C
0x
280
0x
270
0x
2C0
0x
320
0x
350
0x
2E8
0x
368
0x
36C
0x
3B8
0x
3D0
0x
3E8
0x
F8
0x
DC
0x
3EC
0x
410
0x
420
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000003c6ddd0000 | 0x3c6ddd0000 | 0x3c6ddeffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003c6ddd0000 | 0x3c6ddd0000 | 0x3c6dddffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6dde0000 | 0x3c6dde0000 | 0x3c6dde6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003c6ddf0000 | 0x3c6ddf0000 | 0x3c6ddfefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000003c6de00000 | 0x3c6de00000 | 0x3c6de7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003c6de80000 | 0x3c6de80000 | 0x3c6de83fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000003c6de90000 | 0x3c6de90000 | 0x3c6de90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000003c6dea0000 | 0x3c6dea0000 | 0x3c6dea1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x3c6deb0000 | 0x3c6df2dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000003c6df30000 | 0x3c6df30000 | 0x3c6df36fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003c6df40000 | 0x3c6df40000 | 0x3c6df42fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000003c6df50000 | 0x3c6df50000 | 0x3c6df50fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6df60000 | 0x3c6df60000 | 0x3c6df60fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6df70000 | 0x3c6df70000 | 0x3c6df70fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6df80000 | 0x3c6df80000 | 0x3c6df86fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6df90000 | 0x3c6df90000 | 0x3c6df90fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6df90000 | 0x3c6df90000 | 0x3c6df9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6dfa0000 | 0x3c6dfa0000 | 0x3c6e09ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6e0a0000 | 0x3c6e0a0000 | 0x3c6e18ffff | Private Memory | Readable, Writable |
|
|
|
- |
| rpcss.dll | 0x3c6e0a0000 | 0x3c6e157fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000003c6e0a0000 | 0x3c6e0a0000 | 0x3c6e15ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000003c6e160000 | 0x3c6e160000 | 0x3c6e160fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003c6e170000 | 0x3c6e170000 | 0x3c6e170fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000003c6e180000 | 0x3c6e180000 | 0x3c6e18ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003c6e190000 | 0x3c6e190000 | 0x3c6e317fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000003c6e320000 | 0x3c6e320000 | 0x3c6e4a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000003c6e4b0000 | 0x3c6e4b0000 | 0x3c6e8abfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000003c6e8b0000 | 0x3c6e8b0000 | 0x3c6e92ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6e930000 | 0x3c6e930000 | 0x3c6e9affff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x3c6e9b0000 | 0x3c6ec84fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000003c6ec90000 | 0x3c6ec90000 | 0x3c6ed0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003c6ec90000 | 0x3c6ec90000 | 0x3c6ec90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000003c6eca0000 | 0x3c6eca0000 | 0x3c6eca0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6eca0000 | 0x3c6eca0000 | 0x3c6eca7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6ecb0000 | 0x3c6ecb0000 | 0x3c6ecb0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6ecc0000 | 0x3c6ecc0000 | 0x3c6ecc0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6ecd0000 | 0x3c6ecd0000 | 0x3c6ecd0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6ece0000 | 0x3c6ece0000 | 0x3c6ece0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6ecf0000 | 0x3c6ecf0000 | 0x3c6ecf0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6ed00000 | 0x3c6ed00000 | 0x3c6ed0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6ed10000 | 0x3c6ed10000 | 0x3c6ed8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6ed90000 | 0x3c6ed90000 | 0x3c6ee8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6ee90000 | 0x3c6ee90000 | 0x3c6ef0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6ef10000 | 0x3c6ef10000 | 0x3c6ef8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6ef90000 | 0x3c6ef90000 | 0x3c6f00ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6f010000 | 0x3c6f010000 | 0x3c6f08ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6f090000 | 0x3c6f090000 | 0x3c6f10ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6f110000 | 0x3c6f110000 | 0x3c6f18ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6f190000 | 0x3c6f190000 | 0x3c6f20ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6f210000 | 0x3c6f210000 | 0x3c6f28ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6f290000 | 0x3c6f290000 | 0x3c6f30ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6f310000 | 0x3c6f310000 | 0x3c6f38ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6f390000 | 0x3c6f390000 | 0x3c6f40ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6f410000 | 0x3c6f410000 | 0x3c6f48ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6f490000 | 0x3c6f490000 | 0x3c6f50ffff | Private Memory | Readable, Writable |
|
|
|
- |
| mscms.dll | 0x3c6f510000 | 0x3c6f59cfff | Memory Mapped File | Readable |
|
|
|
- |
| ole32.dll | 0x3c6f510000 | 0x3c6f688fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000003c6f510000 | 0x3c6f510000 | 0x3c6f58ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wbengine.exe | 0x3c6f590000 | 0x3c6f70dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000003c6f590000 | 0x3c6f590000 | 0x3c6f590fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6f5a0000 | 0x3c6f5a0000 | 0x3c6f5a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6f5b0000 | 0x3c6f5b0000 | 0x3c6f5b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6f5c0000 | 0x3c6f5c0000 | 0x3c6f5c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6f5d0000 | 0x3c6f5d0000 | 0x3c6f5d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003c6f5e0000 | 0x3c6f5e0000 | 0x3c6f6dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606988000 | 0x7ff606988000 | 0x7ff606989fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60698a000 | 0x7ff60698a000 | 0x7ff60698bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60698c000 | 0x7ff60698c000 | 0x7ff60698dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60698e000 | 0x7ff60698e000 | 0x7ff60698ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606990000 | 0x7ff606990000 | 0x7ff606991fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606992000 | 0x7ff606992000 | 0x7ff606993fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606994000 | 0x7ff606994000 | 0x7ff606995fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606996000 | 0x7ff606996000 | 0x7ff606997fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606998000 | 0x7ff606998000 | 0x7ff606999fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60699a000 | 0x7ff60699a000 | 0x7ff60699bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60699c000 | 0x7ff60699c000 | 0x7ff60699dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff60699e000 | 0x7ff60699e000 | 0x7ff60699ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff6069a0000 | 0x7ff6069a0000 | 0x7ff606a9ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff606aa0000 | 0x7ff606aa0000 | 0x7ff606ac2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff606ac3000 | 0x7ff606ac3000 | 0x7ff606ac4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606ac5000 | 0x7ff606ac5000 | 0x7ff606ac6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606ac7000 | 0x7ff606ac7000 | 0x7ff606ac8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606ac9000 | 0x7ff606ac9000 | 0x7ff606acafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606acb000 | 0x7ff606acb000 | 0x7ff606accfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606acd000 | 0x7ff606acd000 | 0x7ff606acefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff606acf000 | 0x7ff606acf000 | 0x7ff606acffff | Private Memory | Readable, Writable |
|
|
|
- |
| svchost.exe | 0x7ff606dc0000 | 0x7ff606dcbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mrmcorer.dll | 0x7ff9f7e70000 | 0x7ff9f7f53fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dps.dll | 0x7ff9f7fe0000 | 0x7ff9f800cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wfapigp.dll | 0x7ff9f80d0000 | 0x7ff9f80d9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| adhapi.dll | 0x7ff9f80e0000 | 0x7ff9f80e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpssvc.dll | 0x7ff9f8140000 | 0x7ff9f8218fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bfe.dll | 0x7ff9f8220000 | 0x7ff9f82effff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dhcpcsvc.dll | 0x7ff9f8740000 | 0x7ff9f8758fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ff9f87d0000 | 0x7ff9f87e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x7ff9f8800000 | 0x7ff9f8866fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x7ff9f8870000 | 0x7ff9f8879fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x7ff9f8890000 | 0x7ff9f88b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| taskschd.dll | 0x7ff9f8c80000 | 0x7ff9f8e1cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wevtapi.dll | 0x7ff9fa450000 | 0x7ff9fa4b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ff9fb740000 | 0x7ff9fb749fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| firewallapi.dll | 0x7ff9fb7a0000 | 0x7ff9fb855fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gpapi.dll | 0x7ff9fba70000 | 0x7ff9fba92fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pcwum.dll | 0x7ff9fbab0000 | 0x7ff9fbabdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| authz.dll | 0x7ff9fbb30000 | 0x7ff9fbb77fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x7ff9fbee0000 | 0x7ff9fbf82fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x7ff9fc0d0000 | 0x7ff9fc127fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ff9fc640000 | 0x7ff9fc66afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff9fc680000 | 0x7ff9fc6dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ff9fc6e0000 | 0x7ff9fc6e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ff9fc940000 | 0x7ff9fca4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7ff9fca50000 | 0x7ff9fca99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ff9fcd80000 | 0x7ff9fceb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ff9fcec0000 | 0x7ff9fcf66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ff9fcfb0000 | 0x7ff9fd185fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ff9fd190000 | 0x7ff9fd246fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ff9fd250000 | 0x7ff9fd2a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ff9fd6d0000 | 0x7ff9fd805fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7ff9fd8c0000 | 0x7ff9fd963fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ff9fd970000 | 0x7ff9fd9c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ff9fdb80000 | 0x7ff9fdcc4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ff9fde70000 | 0x7ff9fdfe0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ff9ff470000 | 0x7ff9ff478fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #33: taskhost.exe
0
0
| Information | Value |
|---|---|
| ID | #33 |
| File Name | c:\windows\system32\taskhost.exe |
| Command Line | taskhost.exe TpmTasks |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:29, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:04 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x374 |
| Parent PID | 0x2dc (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3A0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000000d13280000 | 0xd13280000 | 0xd1329ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000d13280000 | 0xd13280000 | 0xd1328ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000d132a0000 | 0xd132a0000 | 0xd132aefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000d132b0000 | 0xd132b0000 | 0xd1332ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000d13330000 | 0xd13330000 | 0xd13333fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000d13340000 | 0xd13340000 | 0xd13340fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000d13350000 | 0xd13350000 | 0xd13351fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000d13450000 | 0xd13450000 | 0xd1354ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff67fa80000 | 0x7ff67fa80000 | 0x7ff67fb7ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff67fb80000 | 0x7ff67fb80000 | 0x7ff67fba2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff67fba8000 | 0x7ff67fba8000 | 0x7ff67fba8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff67fbae000 | 0x7ff67fbae000 | 0x7ff67fbaffff | Private Memory | Readable, Writable |
|
|
|
- |
| taskhost.exe | 0x7ff6808f0000 | 0x7ff680904fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ff9fc940000 | 0x7ff9fca4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ff9fcd80000 | 0x7ff9fceb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ff9ff500000 | 0x7ff9ff6a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
