w.exe
Windows Exe (x86-32)
Created at 2019-06-28T15:19:00
Monitored Processes
Behavior Information - Grouped by Category
Process #1: w.exe
12632
1
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe |
| Command Line | "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\w.exe" |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:26, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:01, Reason: Self Terminated |
| Monitor Duration | 00:01:35 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xad8 |
| Parent PID | 0x45c (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ADC
0x
AF0
0x
AF8
0x
AFC
0x
B00
0x
7D4
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| w.exe | 0x00400000 | 0x00739FFF | Relevant Image | - | 32-bit | - |
|
|
|
| w.exe | 0x00400000 | 0x00739FFF | Process Termination | - | 32-bit | - |
|
|
|
Dropped Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\5p5NrGJn0jS HALPmcxz\windows | 1.67 KB |
MD5:
94d158f48c1ee28b483cd47e5ddd8902
SHA1: dfeff8ed62727e1f19463a760d479eac99018ce1 SHA256: 52ac1b412a654620c339567606f0885dce579a817549c2997eb6f3d9fd621dc9 SSDeep: 24:qTln521iOxtzbaU0q/V8Z+nYFdRuhgOYnuHPcAgIJVutqa+tQFSnO6r9/Pdw7dgt:yn521hu8VpYUhg2Pco3uKGFUDPw6t |
|
|
| C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim | 0.98 MB |
MD5:
df5ad5bb61e844cb48a8130f241fd72a
SHA1: e7e9f82af192ad369f7e9f5700210a9c3fcc8d8f SHA256: 35d8633a051b178c4092a0424a04d2c4fe89bb30de9c6b6a72512e736b4d9afc SSDeep: 12288:ViBb4vxaP1YnTrZxaLvlEol8dr1IeTktu6H9qLlf8E1EeQ4YcnNODrTE9D2andjb:mOqB6ol8d+tpH9P0Eg55JLXEMhZn |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact | 0.98 MB |
MD5:
4f64e0c31b4c11cb961bd856ad18718d
SHA1: fdad01299b3156427e1dc98a84ee6a1baad6ccc5 SHA256: 62e9bb8e0d87a0dc801f077193a4188d0371495a48aca96cec31b9590d22d757 SSDeep: 24576:0XpMxczBt78wX+MCSirFAHVefiUgaiC+afdc8:x1AHVef28 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact.locked | 66.90 KB |
MD5:
cb3585609dd1e654cb61798f252c9e1d
SHA1: 09cc2a799b70f04a95edcd1b341ad893a8f6990d SHA256: 60cf8f4f2e288a4a6bffb667679cea51a53ecbdb6b33ddc34ad50cf92881bfe1 SSDeep: 1536:2qFT9TLMnym6k1Ly12gFHJuUqrHDI+kbqK3wfXNuNi:BLsYMLysgBq2qK3qduU |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact | 0.98 MB |
MD5:
622fcb7c55dae5f46e598a45b96574da
SHA1: 47e9643145e67e5c169624604f7e0f0a7488a4c9 SHA256: cd989c6e2bc13b85081fe9719634c6a9fd3ebf80b9812239d345e552cca65a51 SSDeep: 24576:Q9wFLMiftj5lVg/pjH1twUeJ91q2JqmOSuZ:K2sSJqmo |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact | 0.98 MB |
MD5:
03ffe7414596be9148dcfd10109b9f0a
SHA1: 1f1c9c7bff288b38e00516f4fe1ae59507aadf77 SHA256: 6d3fff0109a1d15d636595ced7739ca0e0231c3bfad7176e457151578436c7f0 SSDeep: 24576:mEITYa7RsEc8Xmf1kfxYjAV6ELYW5UH5jE:mEmYalsLgjUBE |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact.locked | 1.27 KB |
MD5:
a75078a6a814be255fc115e327303b36
SHA1: c0001d3a2c0b80772e32a1e287bee952e96361a7 SHA256: 84a297e96a921070c924b399a6b788db5db341ba70679a48eff7d8b6de76eef5 SSDeep: 24:ms0KqDDbl1cBrKN20CiYmkHFfY18cUE8QQDN5+crfC:mshWbl1SGZs1FfqB8QQDicrq |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact | 0.98 MB |
MD5:
bc57d4fee80d6eada9f61a60e68617d7
SHA1: 6fa70fd26a04bada387620c43b332902a89a76e9 SHA256: 83dc2f1ef8c13f0771a98c3ddcc9ca6c491dc4c40e003c2e136640bc61fda73b SSDeep: 24576:V49tZksOOv0S3FcY7UEV7Y+Sw96IG0vU2Ghj:TAaWAIMR |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact.locked | 1.27 KB |
MD5:
ec9a1ae7aa0f9b045eb5f9c3beec732d
SHA1: cf5bef91345dea2a0f858812a7e6f6566f0d21ad SHA256: 7a056e92be26153d1e8e640cde53274d6f1e8a7ea57d19dbc9c6796f5d7b2f39 SSDeep: 24:/Ya7tyqF4TfQB6Rs6gNUTk3D4pu1fTaomd8LH/wtv6/4UDzQXawikE:/Byg4cBUs6iUTqD4pMTaomdqH/0QH9J |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact | 0.98 MB |
MD5:
e08b55b20325bced57ee91beb18fc00b
SHA1: 2b034d71a2a2864762e30941417167a6eb1ff817 SHA256: 14b2c022fb913444f499c928cb32feabc1aafdcf1cd538df25b334e123c15909 SSDeep: 24576:h7qJqAENzOb0WsV1zE8NyZbGe4XjZWG855OJ9tQYDt09O:h7qJANHb1zY55u5p08 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\5ft3t_kQuOq_IXeynI9.png.locked | 95.65 KB |
MD5:
36291ea7a4efa00d54332cace5925e4e
SHA1: 03fbee6bcf5582f6a6377c3cf4c31b1ea5ecb9d8 SHA256: 1a1fcbd5bc022e190f431064f90f74c999c03d3594aba8be759c70d97b922450 SSDeep: 1536:UUEi0H5rQlZkgIBXyYK6DqRG4FinX93GccZOX2ZKoLetTXH9gGn7mE3Ux7AVIbch:UjieQGXHfIAnwcoetH9L7hUxe8/o |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\6gWXxuRsXBQ.doc.locked | 78.94 KB |
MD5:
c7385c4a5bdbe4513fad40b7edec65e8
SHA1: 7bd6ea9e0e70dc8fe14f54f841dc16398c3b0552 SHA256: ee49515aa550c26038db7c0475c66710e849be578b29bf160d1a8c6cfff877f8 SSDeep: 1536:L5cl7epZNb6pUoHHLdyOM8e3YJHJ/DUw9PpvepW06tNKOKARXyQ9D:tHNb6pUoHHBf3Jp/DzPpuW0AKcCQ9D |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\6gWXxuRsXBQ.doc | 0.98 MB |
MD5:
ffd3257b45b5aba6dd28737bc761e84f
SHA1: 244b1cd8adf9f6357a67cd3d17178821a0d65b4b SHA256: 9f92246f08246ce2a04516976942a087063b4851e1639d8f2b2a4b13e17ff739 SSDeep: 12288:wsPi7LV0KGQdKtMUjtTIuGkafeETwlhG9cmwW6GyGyD/N2BMG5N/BrNvUxtjtwr+:waKGQ7hkamPlhGWrG/rPULjtWdpk7aw |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\8CXwFq.mkv.locked | 82.45 KB |
MD5:
bee4a1abebd7c86660ee094d38677ca6
SHA1: 1178b14b975e7470e1ca9d5f0992a5fa2e4a7a03 SHA256: 6c1d8e1eedef79f18359ff2f2042114b1d07fd157ccc95701633b2b6494ef13c SSDeep: 1536:M6RpKS7r5XiqpeNc/kn6iADKKMMXAqyLU1Jv9giAy7vQ4UlRvi5:NRpKSFi2lvDtMwyY1w4vQflRvi5 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\8CXwFq.mkv | 0.98 MB |
MD5:
9c8101871bff89d986e9bdb06de722a5
SHA1: 8b4009fa41ae4acf43b76d44e2df35df1986d9f5 SHA256: 8f991da162746fbd060676bf334bc17c61e23a4dd6c86f290830eaef4e3d4620 SSDeep: 24576:0U/4xSexhSxNh2Tj6QnN7k8DFdno09U5CQzNnr:0q2vmSxxkmzobt |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\9AXR_x8XIa3ydKIE.ppt.locked | 34.89 KB |
MD5:
62338c0b4bf2c4138036a1a68604423d
SHA1: 7748e848e27c18490b6b775b9adae5f303cc8206 SHA256: 0a69cb8c45ad9c994492d137bd54ebcd9ceeaee70d9ae372ab2d0f2003b73434 SSDeep: 768:JgpH4DLGASX9NybTTC8X1hWxpRFXHj11hEEUnJHYUr/F:JKuLCXH0T9lhWfRFh1hEEUJ4uF |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\9AXR_x8XIa3ydKIE.ppt | 0.98 MB |
MD5:
9f298f615bcd5eef7d18d490bd155edc
SHA1: 99c4d33c17edd6ff2b3ff1060d67100cd2263a80 SHA256: 094b15c8fa98761f96c665b67fd933bd020e695ff107b5636b60a2ab4ffa267f SSDeep: 24576:QRC6eXGbvLsggtLa2caFovxYT5YJc8TNKFu1wOH:QCGbJgtLaI44m |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\GWmCF1_3WU.png.locked | 4.17 KB |
MD5:
0f970c1ae85cbf3ae2892f1e2964669e
SHA1: c5e3f4a9b53b7805ebf65a92ede186f050967390 SHA256: 8ea14146b760278a38ab78b82e9599c73c08b26c53cf7dede2816f269ae2b40e SSDeep: 96:665cSAjGGswOn9D/fLrjn3Q1IwtMp+gKQK1AuLINzanLl8FsOmwQ:665Nd/fLrj3Q1IwtgQvsNWnLisO9Q |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\GWmCF1_3WU.png | 0.98 MB |
MD5:
e6085e85b644bd2084937f78d22c07b5
SHA1: 2858cb3c761df5341306d9f367e05b15c9c2cb61 SHA256: d3e2d9b3708e9b8dac337ec6bd74dd4a6953928aadd4d1ce3b3da0ee9862e3ba SSDeep: 24576:t4zibOyl7AALblWdQt9GbJQXR2Ys8OQ8zKt298oKi+:SmaShqbik8Oj3w |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\I8YLdLjiG.mkv.locked | 11.66 KB |
MD5:
f4296f6c4f5ea61731ac692c48af369d
SHA1: 76cfb76e3cb4bc14fa4bf6dacd670ce0918ae84e SHA256: 70bdb1c1aad1661bc25c48b4879859a3699129f483cd73ad3b7dea54da961585 SSDeep: 192:7RIqlz8r/Du2mdGoVDL34s9VAEjNeGiO7BQExjO6yzomTgeCOFv2EpixMEMr:7RIiO/sVDrTHjNnJ+Exjr4oceES+r |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\I_J1p0hdvpTbfJ.doc.locked | 7.11 KB |
MD5:
a48593c56db9197afc86557b921af747
SHA1: 1c6dfa4d5c2e4baab43e406bb6755bd5329f9d81 SHA256: 3236fe650cbd5082dbf38502a6cb3fd335560afd3a0c316b12de012e560e5fdd SSDeep: 192:oWSlZQ53MZDxbiGVYh2DT7veVDRMSMuFcfQqVFhKq+D6:tEQRcB22DneVDRmPYITKhu |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\I_J1p0hdvpTbfJ.doc | 0.98 MB |
MD5:
3a46cc9cde36ddc27ba50b0e84cbb4fc
SHA1: 54eb1073cedf6339b740db0617b631a2951ddecc SHA256: 8c36159067f083e54b8c513067bb9279d79ea3bf4e9194ab06204b020503b159 SSDeep: 12288:MAQDcd/tBKc4tHSarohUccgCd7x1ZyPPpRuE7nU2GVDcjkmi0puQKAZSHychL02t:qcdYtyOK/J8E7U2igkmTu7Y+ACU0t |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KbQ_Jp_Ky1ec-nK.png.locked | 9.06 KB |
MD5:
40daf1c3987a49d51020b170ce8e1b90
SHA1: c22123c03694cba841901de13514225ee35ead57 SHA256: f251036014c05e28ecec963596d8e9f9e63d48bb24a9ce3cb0b237b5861de512 SSDeep: 192:UhBSe4ODnpvz6V4aK1gRB0YGZeEs8BrQG2Ys0nYoh3w8hLF:Uh19E4X1vZeEtQG2Y9YoewB |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KbQ_Jp_Ky1ec-nK.png | 0.98 MB |
MD5:
c24653ba0a7c13a422c1337bc487eb61
SHA1: d475f7660f49a3154b31c9d74fe88c3c12d108ac SHA256: 861b72e7fdfd387f85ff73a4f038c742140b7efa75c9049810eddf07b4089dbd SSDeep: 24576:Onf/YAbgRBL+xo/h8nRGtaVi5eV5AIIXi:oXPOZtQ5YS |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\So2CJKBAQ3_MNzog.mp4.locked | 37.29 KB |
MD5:
e7815efddc89e6e3dfd6575dd0af83c8
SHA1: 099b974c208e64e9c16e06d44a11b2525b6863ec SHA256: c99968efb7aa7cbd96ec553b3c8a11673024c79288b62fb03e40160cb478e966 SSDeep: 768:F5hKZi8zkkdwJpszNePXJzgSAX1VvNHHB5X+wNAEq2EZPq6Tquw+y:tKZi8fddzNuZzulfB5OVaE1q6y |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\So2CJKBAQ3_MNzog.mp4 | 0.98 MB |
MD5:
eaf9112f6662f433820e062f17da2128
SHA1: 74661ba33e2d8a384c8b3c23753f4b2856e2dde3 SHA256: 2ea9c332f624b6d44c11a6f14dd071565d072b68d0a99364355dffcb79927441 SSDeep: 12288:1DUX4FLWf9w/QFh6csTeYzLvyi39w3DmTqgUvEyeh8/9KeZ0ZE6a/AQmLIIzuLqh:GIFLWf9DgveA2i39+0PcKAmaIxL2ulv7 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\UHK6SgOn.mp3.locked | 15.49 KB |
MD5:
81fb930483d35376b5fa8bd345bac3ae
SHA1: 30af5aa9613ff4d6430bf1792dc15ee220867628 SHA256: f424ea027d6ccaab40784c6e24dfe4201cfd1b78fcfec4af12651f38a60c784f SSDeep: 384:7eT3IqfOE/Tm2VwDmqegjKfbMHirlWoahlYb5LESDr:7ejI4lTmu8egWfb5lXAC3 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\UHK6SgOn.mp3 | 0.98 MB |
MD5:
2940f6fc35f00b0398162d9763b271b9
SHA1: f2e54163db71ab164f282e5aae3ca730a4b1bb43 SHA256: 70d8ddc7f23e04d7610e03f6824f6c6c2552cb8fd50110333c509f50c6e74ae7 SSDeep: 12288:l6dak0M73NelhrhLR9gKZ5kBMCuYwGBcfYl9a4IHbLlsHPigYznFQAy5G/rFWJ:odamJ0BPZ2Wc9E7yHlYznyI/rFG |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\UtCAuv0GdF.swf.locked | 13.03 KB |
MD5:
f56371fb1b3ce98f8dfc61bb1d2e2436
SHA1: cc63418237ae74b9831c9dbe9ddc853ae163e82a SHA256: f31ac5451d54168703b58cb5459077c0a5e2a50ea14c579da86d4e6c06d8fad2 SSDeep: 384:Q3wH6uBKMahJ9VmMwu5Pi+gv0lyTE6NIq6OD8304:QgH6qGXVvK+M0ww6NIUD8k4 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\UtCAuv0GdF.swf | 0.98 MB |
MD5:
3d86ff8641d5f9534d2ed2c357fc3cd4
SHA1: 02ee4eab8cabf0ec4785e65c76843e0c9b66e519 SHA256: acfc0f8d12d541cd63c6953995342b8b5632c1a045d3e51bdbd8ed4c66ff3776 SSDeep: 24576:DTIZWEwJNuamCgMYjoJrq5hEQAPD183OZ5kkeo8O:4iA8rAtod |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\YOfE_up0byG PSSN0.png.locked | 85.50 KB |
MD5:
f81cee48ff8fa18b373ab5ba2786e0ad
SHA1: 916df1dd4cfed4569a2851ad38ce28a537e3b9fa SHA256: 9e8d93fcc5052cee636e6e7b6e76e762b2b8388a277a6f01d201ec1b5160c235 SSDeep: 1536:xGInl5HWLXLaW1sQ7TYgEsQVZbkDDhKu6S20ZGTBjwyqjJkLsmBj:xB1WLXLaWmQjOOuq2wyKVml |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\YOfE_up0byG PSSN0.png | 0.98 MB |
MD5:
477a8a35c2457fd81b3c2035b3b71de1
SHA1: 216b5d691390a71f16f6ff02abf9a9ee5f90c8a2 SHA256: 7c90a748fc0b91909a725b7fea9f6971280a735ee5a92c5d78288b97601a9110 SSDeep: 24576:LoR4KsyAC96C8kLixAwMtlqEfOEvWRWdySd+hZuan:I4yxNbv85n |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\YvYs.gif | 0.98 MB |
MD5:
5e1d941523f5bcb6da8cc4558faa6f02
SHA1: fa305d07515f93650e9c58b458dda13546b75cad SHA256: 7ca2542546210278a34654b516429479ea4e027fb0043552d6d98c2dfbb36d60 SSDeep: 24576:frJxMBxfn8Rlu+hvUtNA5e137GDozVmt/zdLGL:1XhvDA7oC |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZRlfl3nCYB.gif.locked | 22.47 KB |
MD5:
551429cb69ecd3165f7279a99d10c087
SHA1: b27e22712c18c026ca6ad38e4b1e648676909a0b SHA256: 5316e050272d66e804924007d4c947625b1edbf1985823153806828b284d74ef SSDeep: 384:L24O6KG1byJc8JPVrc8ApAJE+W/rVN8HV2e7UqJx4XJpnX9e/ceWp8wQx1:zOw1eeCPZMpAEVzV+1PwS4XA/ceWpXc1 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZRlfl3nCYB.gif | 0.98 MB |
MD5:
fd5da250c849b98d2a0510e58ce34035
SHA1: 5150fcb0ab64cf824986bf6b6ce4005aa3a5305f SHA256: bb6341976fd944e887d24873d51040cd1f264aa896bb034d129a3052cd8404cd SSDeep: 24576:TxNgbepKSMBK2aWg1wqm2BuR2YdMzaGWxG7CbGJ7GSqUg:TxNmjOuRRNy+ |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\iy4Mpm NDehEf5b8o.gif.locked | 68.10 KB |
MD5:
287df4adcdeb2804a3587e350e0176d8
SHA1: 928b952be4b42d70cff0a081b5d6cc6e9e9900c7 SHA256: 523d677204bbc4600e9f6e7e8e65d59a4d1e6fa3840371697d31b8822e7682fb SSDeep: 1536:sRIaKzFgABZCULWDYpTp4TX0CvGEOGD3oTjxbHl1kW6H7utA/Hr141GD:sRFOgmEEN4TX0ADaBrkBitU1eE |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\iy4Mpm NDehEf5b8o.gif | 0.98 MB |
MD5:
95f8b4b17197045449404e49d8864dfb
SHA1: 5999e52864322d2160f9415782db65ab5e5b0e65 SHA256: aef7c858471d5cb9c2c35dc7cff052fd197d3caa1d75eb28a850eff94f4e3845 SSDeep: 24576:qxtly1zEy9sqNwBQxAp++K0hEsdAMK2/S4aK5u+X0oi:N/fm5KsSn4aKnI |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\j498aiGAVucSDl0V.xls.locked | 24.52 KB |
MD5:
5de71d48f184eab7a32a5a45758e00cb
SHA1: 027164684204ea888f28680927802a4dbedbc5cb SHA256: 12502ea8da9030af14d0111b155f4c3bd22fc89348b3544984385d629c2b4515 SSDeep: 768:LDV1i3ZtowzRuRr10L+X6FUfmCpv2rARTv:LDV1yfaRT6KpOm |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\j498aiGAVucSDl0V.xls | 0.98 MB |
MD5:
e41a2e9e7a41d1bbeecdb107f1f5d69d
SHA1: 01a6699d0b74829578a0f1224225dcca983f07eb SHA256: b34c25186f2247f37d56523e4a47996272c62ad2e828e1ce0ebdc81f79aed4df SSDeep: 24576:iD9Zp88RNpxk71eJ0H5E60mcGblI9i+N7G/AuiMa30ma:wWoW8chDNiBEh |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jOgQ2vmu\6UB4wAdI8gi.png.locked | 9.30 KB |
MD5:
a7add068e6e8f564e723749b9215b9a8
SHA1: 052183c31368784bae4f11ffb5e7a2065718884e SHA256: 9c4dd38d206f178a05a0418d0a600319f65db4a70537e2f1b1209cffde775545 SSDeep: 192:jVj+o3+xcea0Qa9tQsvMLqOTzwePdE6kGteAf30CCCJj7B354cPCC:l+o3+6ea0TtQ7TXO6cOEXCF7B3DCC |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jOgQ2vmu\6UB4wAdI8gi.png | 0.98 MB |
MD5:
5651c976671ffbeff9465197d46c59fc
SHA1: 901cee07146c447ee604970122253f3c7a7b26de SHA256: d94d7139df89bff9f23bc9b5b5d5b468ecfe0c0611441e6d9032cc680b60bdb3 SSDeep: 24576:CLb/voMw6ANTy7zkxAGJz6jxIHvLtK0VmFV9p:IHr7wFcPz |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jOgQ2vmu\GuwyiBN4YBoT6oCbSzO.mp3.locked | 55.48 KB |
MD5:
2ae8d2807759d008ffc0a9d734c3fe2b
SHA1: 2c57a68bffe14b11c907a20c254b2663618adcf9 SHA256: 44a4fab88fb65f5aa5c813c8d351ffb3af73ad13f874d827776dc42fc246d572 SSDeep: 1536:hlKzvLB6DFhjjFY+vv8WBoVuQMty+06Rfbx8h8Sm5raW:hlKz14Fh1flogzt5PHSCrx |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jOgQ2vmu\GuwyiBN4YBoT6oCbSzO.mp3 | 0.98 MB |
MD5:
42c1e44f08e71b56414755bad8f4ab90
SHA1: c853fd37dbaab71bd98049339a54aaf98e6fd3c1 SHA256: 6b1f4cf9e407a182a87d866f9f26f0f7dbf910f3516d323df1cfaf3ba05b7762 SSDeep: 12288:QaGkp5g7pZOQLh3o22MQoZYleqEDVR3maUiTQj67Y0DNvAwWm4Iwxe9Vjjx/d6zS:/G57fLuvMQomlcvojgDOosgl/dDNB |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jOgQ2vmu\RYzmia1V.mp3.locked | 68.32 KB |
MD5:
2c491b88ce0fb412178fcf3484a4edfb
SHA1: e47fc5e3af68500e8ccbcaab5638f98ee13ef09a SHA256: 525aa4162b524bf2ab0f25a3735233f4936b164170806e9fee1cc1b320307958 SSDeep: 1536:F4LAy5Z3TMpyzzsNPcSJi7ZDc3KzrfbRFzdeGcqCOwtW7DPLdK:az518yecd7N/bRFEG0Y3PI |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jOgQ2vmu\_cxpP.mkv | 0.98 MB |
MD5:
12f785e5d4124d40e1ae26500ae0b5a5
SHA1: 153fcf7c749cf201ef0025b15ba1e0c1479dc7e6 SHA256: 1a01576b4b5ca7d8be18b951ce7def11d1076818d6de54de763ec488ac585772 SSDeep: 12288:fDBAoHCEmFict3yql1QawDYJd7C2CPLOVhYlLFoj5gwQj14aP3I++bWYCtI2LZ5o:ftAoHCEmBSDgKLOTkL6j5J6bV/xLmJ |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jOgQ2vmu\m26Dpmh_oT.bmp.locked | 14.26 KB |
MD5:
dfb8d93aba904353c4c4350ea338a75f
SHA1: 936cb5e4e55410631760672d6f98eb6143d036e8 SHA256: c7312b43dbed7635640ac105dcd253e91e3b75c8646352bf4e74be8d191d65af SSDeep: 384:x0AexyGliNIzABXj5qST7dP280UbbYJ9F:e5xyGliN+4T1h280kE/F |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jOgQ2vmu\pNpGn.bmp.locked | 43.63 KB |
MD5:
ae2dfc9ba2b234ad75d110934087ccf1
SHA1: c434c9b8d123e3503fc7dac41494ebc8422b1f3a SHA256: 5400a190bbcb2ee567a4eb0bbee9560642e5d01770ed3e9d5a9cb86fcca82a6e SSDeep: 768:EtHQu7Zcwihb3RkB/WK0tk+BcfSKzDfyfSiTpVEgqOWszdcdTqPLGL0/hVWf:Etup3Rkc7K3fy3Tp+ghzzdYqaLv |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jOgQ2vmu\px23TfmpUYS.mkv.locked | 12.71 KB |
MD5:
59c62ea4283b7dfcb8664b42f1493868
SHA1: a0cb1810358bd1f6d1375f9d496c2a08d0bf35b8 SHA256: 3fa649b56f1e3bd3bdee983c37b8c797fae1581d909d848c912f96f932233829 SSDeep: 384:8P5Dk4bk/F3GMSR7DgOFrL16TN6DuaKZLyi6:8S+kN3AZxYqP9j |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jOgQ2vmu\px23TfmpUYS.mkv | 0.98 MB |
MD5:
200f2b1bd08057d983df1363db5aa083
SHA1: e496b9ee72b507481d5557ba6a29625c9eabfc0b SHA256: bd5a437105c011c6bf1755d28cf29f70f0f98f01ef4acd5a642435f511aa7162 SSDeep: 24576:O/Mj0A/oGS3CZX0OSDSWJ0oJrJUMCs/2AS9rTLB:9vaWWJFrvh6 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jOgQ2vmu\qrtc3nFE.avi.locked | 36.58 KB |
MD5:
3afffe94b736eb549f8922947734645d
SHA1: 489b589acc2d8c3d8a2b5ee780a862442684ba2b SHA256: fc345962d6ce20039bd5659493f8b4006288532c6ed992367799d1b3a5f796ba SSDeep: 768:J1SSkdgNVsrLTVpS3IzUqhV6cEqDsE3QXAQBhatzSnqb9lKp40BI:JaQsrLL6IzUqTeqYO2n2C40O |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jOgQ2vmu\qrtc3nFE.avi | 0.98 MB |
MD5:
ba93c141bbca63de6c40e440b6ee553d
SHA1: 6b0addf6b74196d364db24b9250ad6b3e71a9503 SHA256: 39907974ab6eddc2e73c533b694ed73743ce69718d2b3fbe5795076709408f8b SSDeep: 12288:/jEMLeHX9uifoHyRyJ+IBqy7zI8fN8xXu+iUntFpQx/egU+PDYwTMfbYdojR+2HG:74A7HkT4qWHMXc0/o/nUcDYwTMMdK1WF |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jOgQ2vmu\x5z-b33wQMuCpUod67F.bmp.locked | 70.40 KB |
MD5:
95df87c67118bfa0874ab86fddba5711
SHA1: 5e25079dcfcdc49f62f82c536df13fcb99a8f5c1 SHA256: 7fb432cfeb6c4a1c6fb59031ae0a97cc729ea997668ed253fcff71fb04ccf86d SSDeep: 1536:/SZnDBroXhBDWw6dc53UcSf9zjdIZP3KvQi3FLFai:a1DkhN6dq3S9zyP3Kv73FRai |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jOgQ2vmu\x5z-b33wQMuCpUod67F.bmp | 0.98 MB |
MD5:
05bad56c0c1e134f0d957dc31d78cc41
SHA1: f4c5673220424b8b1280b0cc8b1482e3e1f48b28 SHA256: 91524f80011afb8dc93999be142c78a575e609bcd7870ff300d7def3b1c56d8f SSDeep: 24576:s9TDf4jbGiLcVAkMBlv6U5ZR/bmpUJq7eu723Ve1S:kafHCzvq3VJ |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\qQwIdGbeg_Z.png.locked | 71.93 KB |
MD5:
3a7678826f0f644519cb4c027ef6356f
SHA1: 14d766c8389e98b70d8e5f987690fab08eb7aa75 SHA256: c6f6ab0c4b86485251591a4fce14680b5f9485b5a489bab7133bc458b8a27f97 SSDeep: 1536:mMFNTAoDyW60Sb7Np/Pp3Q/zk6LmmiUcf8Dclg7cUGv0g:RTAuR6JNA7Z7iUcga0g |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\qQwIdGbeg_Z.png | 0.98 MB |
MD5:
780fec75a183bd55e5a1078744908e1c
SHA1: 3e92ae6cdc928bf46ae7267ca1c965aef514a895 SHA256: 2f66167fdb4eb02da36cea822b96fd06a42e8b08f47215833b11b2f432c647f9 SSDeep: 24576:/tvx6XaxK7oI76peZUF+1Rd+t4Ej7pCr5:lfcgt4ms |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\t1RVfRWHwmjTGo.png.locked | 87.51 KB |
MD5:
9a4233beeb65705adf092c070bfb2a59
SHA1: 9f378c2301d6904802d7ba92dd7c01f82c9fc8ee SHA256: e50c360ee51465a0366b729f88b80c358384b934fa735889bbc7aa9598d2c7a6 SSDeep: 1536:Z+p+4knpviAQNMsTIAKj0j1w6y8FimwjrZT1DeH1JAVNaLq7yDBJY7VAL:Z+zkJsMsc9wq6PpwjfLVELqyY2L |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\t1RVfRWHwmjTGo.png | 0.98 MB |
MD5:
224e9a1851dd25a6b33b1782abf11807
SHA1: 54e46e6c6139f996d9c4e8895dfd909c91f95ffa SHA256: 2e4eb6abf43adad0b4455a64caa65016eef62ba0790af87e8764ed9f1a59d59d SSDeep: 12288:YZTfkVenC9TDzR+XTXLlztROSF9Rp2VgQvo3ldlgcl0D5QogwzIa5Id73o:GTfkVeOD1QX3pP2VvgldeGfw0d7o |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\tFeuNNoFgT3OFYmqmD4.wav.locked | 25.34 KB |
MD5:
ad209668795b2aa5b1b6f09f29f33456
SHA1: d786d575e04486e4b5224384115b3999e5272980 SHA256: fbcb6857aaa70aaba9e04709260c57d44687037003a264db7333054ee8e4e4d0 SSDeep: 768:MfXkeoMKg2BkUCnWiu/hR2teduaX1QcX7Qz0ZmKr:leoM86pW/RkWfyC7mKr |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ua-gd3_2Lr0.png | 0.98 MB |
MD5:
0d9aea116f2bda3ff85c80b2923adf64
SHA1: 0e44fc5ecf616fc9cc48df5da7b24b54548e778e SHA256: c586d1484043e1e1c902608a0ba5662e4e0c994472fb8871412a966bc8e2c2b9 SSDeep: 24576:PV3awgJQ2IBIVel/8Q5WjcskEnHoz4RcsmLLubhPX:yG2ZNRRw+ |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\zbxI2l.mp3.locked | 18.94 KB |
MD5:
40f3c3fe5e9278b9a0ceb049ba36ccb1
SHA1: 8464ea6cffec6110e6af99dd573aaed85dbaa863 SHA256: da556439737bab15519cc83eeac1c3fe8b14e3780df22cd24633c6f6d76166c1 SSDeep: 384:1qropts6PsNt7B+0b3csEUVxJB+PwwgnEsBdOpKslVplq/oY:crb6Psnl+0jcJK1HEFVpY/J |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\zbxI2l.mp3 | 0.98 MB |
MD5:
bff12ee3ed43f4eb9eb071ec83efc26d
SHA1: 5b781d37b32ce4c0fe586b54d79fc0b92f192c79 SHA256: 142333a93d24a7beb41b1a29b3beed1db8009d33b9bed5d125c45a568d63c8ac SSDeep: 24576:EzaTUXBK3tI7w7mcOU6QPxaJQeDvBVdxw5s2TdXh:Ez5wik0Q8P61R |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\-i5 zp.xlsx.locked | 14.29 KB |
MD5:
93c058da5733744c9bbe9bd3cbd0669e
SHA1: d1b873c76600d0d29785351e01e61ad9fcef499c SHA256: d60d565b82c5f2005e7857ed2318cbfc25066b9f9b80a085575df093aeff0650 SSDeep: 384:lnohacXV1WUjyLaWvg3Ii1n1XgaJ3WLQJ4PE5p:5okkVEvLIL5hgs4tP4p |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\-i5 zp.xlsx | 0.98 MB |
MD5:
8a565a81f0c8475104584baf170349d8
SHA1: 17a413dc7964ebea40469a9d9eb21ab84bfb21b1 SHA256: 11f6634560dca47518b8a73a2ec51bcb10a6e84991b961bb67a00864df0d92f5 SSDeep: 24576:+EdpIYtnxABavCG/zIHKwWBnXowDY9Re92acW2:+EdrOudI7sc |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\0_T 0gaBQB.xlsx.locked | 52.15 KB |
MD5:
8d4faf6798600c8e7288f447496b047d
SHA1: d4c8c23aa6076bcf5812da06ec7225f31f3156ff SHA256: a60638525d958198f2f3ec227c920da091677de3fb539f6c236bf61b6e01d39b SSDeep: 1536:MCx2dL+f/LKS//FVUSPYHTMcaChW5Zs+zcnLelTVSSxY5wFV+oCu:Mu/fDZYSPQQceTzYLE8eQu |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\0_T 0gaBQB.xlsx | 0.98 MB |
MD5:
bb2ecc6576f11e0d954d37089ff9ae57
SHA1: fd41cdcf0426476286e03904e48ea50447ec21b3 SHA256: 19a481d9e82181822915c76bf2a3b533f2ee1f1feaeab7f8963bd40f4650014b SSDeep: 24576:YNLPsCelHXgiTws7SCgDm60Zg/V3MKlnbzqaNU:0QqjC607Km |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2I4gmvT9FNn6X2VW.pptx.locked | 90.46 KB |
MD5:
00098092df7e60950932abe1ff94e356
SHA1: d22e2937b47000edbc0dd718f959a167aeb517ca SHA256: 2f0906f06951cea2efcf7988d215b3b82402229e3562db09fc3c9cda29c1cf88 SSDeep: 1536:KjDM2KEmRC9iXjeSpkNT3v1gzn8IyyXfso8LZefFlUDeyO5Ba4c2:mMkmRCyyRT3v2j8pyPsbFefvlBXX |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2I4gmvT9FNn6X2VW.pptx | 0.98 MB |
MD5:
20af8878ea633284d1a8935ef0689006
SHA1: 9ec379794b3a57a0c94be9071c46e81b96b68a1c SHA256: a51cb6369233145e99519d563c57a07aca735f0c8d3f75a61eef2a59f3b2f964 SSDeep: 12288:qd3g7+98vsqTUBuvUiYYR2niCToSfU2KWcSVrMI/C2thrjQcYic26hGo4afEIimG:qWq/quwztj2aWb62bYncOtzXzVo9b |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\6RnXopz-k.doc.locked | 65.02 KB |
MD5:
df34346ca24be5f9dbde0ba7f8ed6f33
SHA1: 2e75280daf2a9a282e181ec3a730a64f9b2c52a5 SHA256: d796014abdb534c85843854ae806853609af234cbe419bd21ffa76d9f26e8346 SSDeep: 1536:iWXFagSdj5wu2YsXLR6sFPIieixQLwjskXIkZeDMr2hj9x:DXIdlwxb79FP6GQcHQ4299x |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\6RnXopz-k.doc | 0.98 MB |
MD5:
688c6e9717719c961b2eedc9f335f677
SHA1: c2efc748d0f2a43193d55afae2731242ed1ec357 SHA256: 21463607738a0c56e302812ebdd9cf8b0a08c5318168c2f4b6b811de6a858bef SSDeep: 24576:Z2RRImpgd/zMVR0glAZz/4x3gvk5i/8ZfEGl3R:Z2QHg6i7B |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\7kTnD.pptx.locked | 48.36 KB |
MD5:
b2b8d447dd675db3a23499bbf7866f16
SHA1: d541357531139b5b13c669e7f381569b30022edf SHA256: 5f6b70defc694917654a0a1f0e5eb48ecffd7eb04f68641e1ddd29f06e2ba542 SSDeep: 1536:BWOhPe2dkM1pbfDJMMAuqd/fLwO52ScNpYL5X:gYeY91pbfDGL/zw5/YB |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\7kTnD.pptx | 0.98 MB |
MD5:
b097f61c9156f318d958d61b3602f3f7
SHA1: a3a2e194e075e74f8fe6edbeb7e649002eb263e0 SHA256: 65136b4be2b7b5dee70168ee73de92ee2702305c10d24a19ef43330ed84500b1 SSDeep: 12288:wwZcjDXIM87XI0wH/ZqA7DZgk5kCb0E1v9PJwbVG4VL1eXjVzRdsX4zaQWknlHwY:wwZcjy7I/3ZzxRnwpGWUVzRdLVAgqSh |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\5uaSR9B ZuPf1BTfff.odp.locked | 66.69 KB |
MD5:
7f063feb3da38f86e168b575776c959e
SHA1: 54fea08b29048eecde954afd08f0017854009669 SHA256: 1af838fe86e9214098b154191b00117e2f5e75b8ce1c2d6f81409307d8440475 SSDeep: 1536:upBVWIX9AO7upcV56NxKh5Fr1m8cgHm80iYIGRDNqjrfTvK:QnWIXaOUcV8K5rUaHx0iYIGxc7vK |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\92_SxvMwhaREWv_iEiv\BbPNjGtemOLJJ4CRkVP.xlsx.locked | 12.06 KB |
MD5:
876f875d3aa9909b0ce14bc0019025c3
SHA1: fc41e2ec872408dad7e000a92d348588d804d284 SHA256: d6d58a29328a0a071ba690926db141610eb104cb60c0bb80d2a7c8c35e0d54b2 SSDeep: 384:cT+Hgaja9BYoGp8BMp6XGND/I7uIIhQ3ZJiwB:cTaXja9GoGiBMp62Nk7QhQJJ |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\92_SxvMwhaREWv_iEiv\bVHjag_I3.docx.locked | 20.18 KB |
MD5:
0ab352bddc20a3ce8814b6d33f0a962c
SHA1: c1c70f3191b91d44e449962856ebbd5bdda5002c SHA256: 42dd8c9e8c2056eb6cd23c4787afd7e8360857c76f765a04fd23bd9d673359cd SSDeep: 384:MScI9ECXoMyUWj4X6RgI6q2yC7QyrJyzUrl2s/pndV+CD1lHM:Tc1+oFUWcbbyCUyNyAV/pndVrDI |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\92_SxvMwhaREWv_iEiv\bVHjag_I3.docx | 0.98 MB |
MD5:
ca7ba3984627035b4086ac4cf476dfa8
SHA1: 1ce44754a12b91acbef9dabb4cdf2253b171f27a SHA256: 49d98fc7c7c5adcfeca730297584ff2bfd1e186a0880c0654c01a8492322ff0a SSDeep: 24576:z+XN9Sq5abBG/rYct3p/mFMI48nG3rgPbmk2/Hiy0a7fVSyvBbA7:l0/cQ3pdObPAE |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\92_SxvMwhaREWv_iEiv\rO8WWC0nut8--lGMs4lz.ppt.locked | 3.02 KB |
MD5:
338ebb1051d3704a4c757ec85ea8441c
SHA1: 19fca6fa19717cc4f97f1bc5803aa921815087d1 SHA256: 9c589c960c9735b826731faaaa75b7faf7bc71602853dfdd54b2abfc2fa52745 SSDeep: 48:ZyHbpPIAky+rRM8V/xt6XnJ199lBw1zrcAAQx2cQjW/DmvMSRl3xPF:EHlPkFM8V/axTorcAAQV8WbYMC3pF |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\92_SxvMwhaREWv_iEiv\rO8WWC0nut8--lGMs4lz.ppt | 0.98 MB |
MD5:
c8b19470ca740d639d405f3918c943d1
SHA1: cce36f965d9e46f4cdd65e01e328afbd5f8542a0 SHA256: 5e97f0a85a339dedc4d415a8fae6ce85d5eb02fdd4612cc370056dad81c00206 SSDeep: 24576:9iEt2MO+JgXkQt7vksUzMaz2cXz6dtNvaHz8aoJ:918x8qcsUzmce3NijY |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\L90N\6iZpuv3BJu3uhtMtnn8j.rtf.locked | 71.76 KB |
MD5:
386c64a282c010f69a4595a32d98cd0d
SHA1: 3ed4e6cb9d1e706e38aacacab3c12f3fad5c5aef SHA256: b92df60a3dfc99491af2fc1a7f1e4ceb9a9584b5191430a7203a0eeed61627f3 SSDeep: 1536:P0ELelP5TqS/GC97WlE0urfdx5ufS0ELdSwNg+5Eq:8ELyhuSOg7Wlqrz5IQ95Oq |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\L90N\hcX2.ppt.locked | 55.46 KB |
MD5:
1e42260f3195960265b3ee32ab4093de
SHA1: 597ce5174f0349fcb4477d26768bbd327fe9bed0 SHA256: 72d5ff6e23f2d5c2ed99a5b0ad5d587538c7f62f616794006b9326dbf4c08f2d SSDeep: 1536:8NtvhkRZv1jmFCeAFKJxpe0SJe1rF3d2VSwvoVYrIHDM0ajgb:8NtIeAMJsJe1h3YjvX6DM0aq |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\L90N\hcX2.ppt | 0.98 MB |
MD5:
f8ff966c3948916381ac7e7d64074a45
SHA1: f9bc976288f17b2a1b122d6ec406a71c86a71743 SHA256: 2df4878d6dd69474517073370329ad89dcc21849471f165847237cbcc9d8f5bd SSDeep: 24576:oY7oH05VVHQ7TndRzDRCKbVguPJSEIU3mVJ:Xy3zDVty |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\WloOH6tcGBIwPp.odt.locked | 77.75 KB |
MD5:
324422f64c35816bb6523a7fa17268f0
SHA1: 982b06fde48478fd4d5269a5eba933ae043e3a4f SHA256: 448f09488986465d4fb94514f3c72d57cf5ff63a00b06db02591cb7032e1ba31 SSDeep: 1536:hGh5/x0m8mE2l664IiSoU3aVQSe3vBbn/0LU+esSH5HuRFb6NzBhxAYoCHJRBs:hwxRlEkiSosb/0LS9BjoCHBs |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\WloOH6tcGBIwPp.odt | 0.98 MB |
MD5:
2aeba83e34bd2549e125563c035b940a
SHA1: 697d5619bf1a1ee8b8091121057d341be8d83f3c SHA256: e4e734587cfdc79453f80a27ba87446a0c9544f4c4d2014876d22e399cb69447 SSDeep: 24576:+kdjCDmGAKs+Y8LjiHIUpGodkEepAj91bInuTE0cBwJOZj:+kY9n/Lm8nT8aj |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\rBRyx6fXv755VE2eb\7pXJpJe.odt | 0.98 MB |
MD5:
6648f694b5588ad4a62927886cfa2834
SHA1: 35339818b8e1e1c94a09ca20b3e796a3c421b12b SHA256: d1b7a051138da47d2d9439b6ff25753e36721a862168c5ba940d037b89bb3144 SSDeep: 12288:a3gF0U3skH3Hznab2OS82l7Dp2BIaeYP65SvBw/s90CCgleszNolnNOC8ffIe6Kp:a32F3skXTnepSpfILp0CCzQa8zmyf |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\rBRyx6fXv755VE2eb\GFEs.pps | 0.98 MB |
MD5:
08d8003a7b299af706e65da78c8a19b2
SHA1: ce8065561e1bffe07963041ddac3c55cd38c81b4 SHA256: 474880450380854d348153b8f75c0d23afcffa290c2b03198444522b1829d16e SSDeep: 24576:t0FBuYBhN9U1OW8TVEASAcNv5nInowjRX:2NCRNFxA |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\rBRyx6fXv755VE2eb\HgLIrd6VHrvR8L57n3u.pptx.locked | 82.37 KB |
MD5:
2962252fc348bf529016062a84667a1c
SHA1: 58c16335189060ef18327a65d8b726476ce6a134 SHA256: 1b1ef355838bc54bd16a5484d40ae1a0d9fe35f99494a106c7c1aebe220c5481 SSDeep: 1536:zxdHBs7otj8mQWjirKk1r2NXy2j80y9h6K+ACnYOqaB9T2HeZm4qUXS9:zxdHK7ot4mRkuXy2j80ygJACnYJaB9TY |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\rBRyx6fXv755VE2eb\HgLIrd6VHrvR8L57n3u.pptx | 0.98 MB |
MD5:
8998e2bc1a4448aee1c625b9860d2c77
SHA1: f9732af0caed5fa34dd3ada7776d489d944a6039 SHA256: eddccdf4f83a2ad998f7e0a0fdb16adab31f90a37cc5de08f7d78ac6b04f67cc SSDeep: 12288:BY4jTypsGokqSVaLEdzKRDgK5pRp048zA+HBoJ++1KnD1H+ZQ9nOBzY5pPRDvYYD:c5oBZLGKREKHb07zA+iZOH8olvYg |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BQDECG7yW3K49TIHOfCx.pptx.locked | 71.58 KB |
MD5:
0ee261f9369eec3ab79f3819cc5bd796
SHA1: 7f8c7e0bee4c68b2aad2f0cffc907fc349efe146 SHA256: 76be9f92ac105657a4cb105e243aae2b9cf2abd995de940501c387d74a5f8391 SSDeep: 1536:32yjg3LYLIMwcxADjZqeJwlUb7VbGrx9XxHizvceX/KXsXYd0Oe:myjgbFXnZqeulUb7NfsDPe |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\FpBJs9T0l nBN.docx.locked | 69.72 KB |
MD5:
486d2b3d4a05c9b3138977e73c557f63
SHA1: aa34d1c2b371f80421956accd7db4ccebcb350cb SHA256: 5ff3abe9c1a31f9d5819ae3135ee4fbb6dc270f7744a54061a29457760d7e797 SSDeep: 1536:83QlRrP6VSG45XEqTHEK6db60UbkO9MSBR86/m07zdyq01cCI0Tv+D3inHXI2:VldP6UG8tgH2jnI677pTCI07+D8XV |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\JD48gNU5dunhkE8.xlsx | 0.98 MB |
MD5:
1921d7e3cb97e8d7090bff91246bd404
SHA1: d0c17ecacda7fb47da52fada60ba0b7f53119797 SHA256: c30cf5cc65a90fc29a43cb5c53c014be46a1dc6c704dad309e5d6dc276e3991c SSDeep: 24576:ihl6I0BUJAyGGi10SL24DfTscE5nUILHZ:c5By57u1 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst | 0.98 MB |
MD5:
06af4e3e3449988d8ea9e96eafaf0d16
SHA1: 862ed0d03c48a8355322031c544d9b55f2eae11a SHA256: d5382346caf179eae623961da389999b5eb003ecadd774e5423a9c7d0bbc776a SSDeep: 24576:lAmd+lQQjHV2ITnRvcYUaWoEcttAjGhNNqU2:N02MRySAKTNe |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\P7lumiyR5eaK1IBOFo9L.docx.locked | 9.64 KB |
MD5:
0a855683d42b617a774643528afa6d5b
SHA1: 49c44c42d066678449c15863ec793c89dbb7c0be SHA256: 25431bbf4f8f461145e4619604f57fa997eac529f469a4ed2e0815039bcb3e9d SSDeep: 192:Wk2Qsg8uoF7iG+nDxaQ8TbfcEyJo1CPEBdGimXPr/hGNhqy:W5Q/8f7ijnD+Trvio7dX4r5GNl |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\P7lumiyR5eaK1IBOFo9L.docx | 0.98 MB |
MD5:
264cc744a51587d2c68819f402fb8991
SHA1: 58c692426161008458f4cf4ef0dfbec74f86257b SHA256: 2f1576fef8816bac4f57c20cce09f2735d66d3e3ceaa1dd2c3e57c9c7f18a91c SSDeep: 24576:cAD82o47rKex+RfXJDZHoybpW+/yDIZqUaAfE3Uo:8MGI6EqE |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\TWBNkQ26WWv\5Szp_wWr9PENCj1pF.odt.locked | 23.52 KB |
MD5:
75de196bc9ca045efc56ac8caedee644
SHA1: 343634b7e9647287d6211244a8fa59b913cd5366 SHA256: cf3466bbbb81fbb790c89aa548381aa78786c84c898cf1052c13f6cbabf85167 SSDeep: 384:qPFcM+Us26GkHwBbp0B68MoLPw2SDhYmhq1VAsLpmHCmOnXwgfZbZKd6:9M+UsDQBF008MoU2S9YNfpmHCnXwgJZB |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\TWBNkQ26WWv\TuDvm7tzErY-EDSrF.odp.locked | 33.38 KB |
MD5:
569f01f2823c746ab0b064215926eba4
SHA1: 822916dab675625579edcc375a3a14014407b9c9 SHA256: 5fc90b4300fbfbbe93d473e3645b878b68399dcdb4878b308131dab32647c3ee SSDeep: 768:CUqbcuVjWkgs/ri8qLIteeXCY1vCDZZ6Tb+GaZWtp9yMn:C5WMiFLI4O1vg+G3Wtpp |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\TWBNkQ26WWv\TuDvm7tzErY-EDSrF.odp | 0.98 MB |
MD5:
7c369419f054dd995cfa39d16c3373cf
SHA1: a6fbfde7fb77db859068f896ec0b0d71d1cdb668 SHA256: 00bf60ebca8d999d10dea917ef9347806a72312094aefe84bc32664e1a62fda8 SSDeep: 24576:n3IauxY8L7GL9OsYD3Kv30rkc+IJTMtOdvhpLI497KhX:3IBI9ED38koILFC |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\TWBNkQ26WWv\V7fxtVeHfHqqJ_txoS\3CbWu.ods.locked | 79.70 KB |
MD5:
e4d748517bcdf3d2ce8b75ff66895a76
SHA1: ccbf8c635ab00f81a678ed24af995da4f987e584 SHA256: 89848ff3bed80ccc4715f70fc91db17806add26d2da164222158af6486ca78d2 SSDeep: 1536:lOvV9K+C/oV2hz7YcPF7l+QUl86ikpXS4W6Kt24yyJ6/tPkiPy6gZ:wrVEotWFkrlpigpU24Sv66gZ |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\TWBNkQ26WWv\V7fxtVeHfHqqJ_txoS\3CbWu.ods | 0.98 MB |
MD5:
477eaf261650033303c2f8245ca482d0
SHA1: 1d236dcbe412dfe9377b7c0ba0e67ca3bfdac875 SHA256: 14b5b862ce6de59ac2c39d71006c19a9d0a55a3b3f88fb325affb9f17b8747b5 SSDeep: 24576:6Ya87D5KW9bQtmzOYwmJUEpbpU1cc0LQW+n63PlVAN:6C7db1QohCofLm |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\TWBNkQ26WWv\V7fxtVeHfHqqJ_txoS\Dp2TlVTx1xkc.doc | 0.98 MB |
MD5:
5d2ed32e7029a269ade15b0cdabd18d7
SHA1: bfecdbfc18014d081bd5dc46493ff4b5b7c690ef SHA256: d79fd28274739ea67761b87ef8ee1a6ae99a77827610fe57ef551a1c835a32a9 SSDeep: 24576:YUM/owbatllIr4Qr5EjVlMQUO4GlPDtUS7Rl:YBowb7r4sEfIGsq |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\TWBNkQ26WWv\V7fxtVeHfHqqJ_txoS\WkAG.ods | 0.98 MB |
MD5:
2ee731199c3bc217cedea9b40e7783a1
SHA1: f621ba22e8b0ad321d9e7a5ab651a2d7e3ddad23 SHA256: dda8ccd7469a6c7b10aa8a698e0d6d929306250b39983e9b9a7942a22aefc02e SSDeep: 24576:Hr7dQcEdxqzA6apP0EjLL0QvbAcEOGWJ4wfme6NspmTu3G:H5W6ECSdc |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\TWBNkQ26WWv\V7fxtVeHfHqqJ_txoS\aqzEZW5ffU2Ui6.pps.locked | 55.94 KB |
MD5:
754d5c12a769f01a3d102f1091e9b3f8
SHA1: a84e4133f717f77bb71f8431e4337d32872a381e SHA256: 23b336c4d879950809274fce54e5ac88871e2bc3b4c70e2ed407676c9b3f23b2 SSDeep: 1536:6B72lhV7+kf0Qo+VQZQW0r1vPnaw4jp8tLVInS7:6B727+kf9tUQW0r1vPnaTjp8t+c |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\TWBNkQ26WWv\V7fxtVeHfHqqJ_txoS\aqzEZW5ffU2Ui6.pps | 0.98 MB |
MD5:
94d55cef029caf17308f25cb6eb7bf5c
SHA1: c6ae4ababfa53981bcddacdbfa86d66221d865ad SHA256: 02ff20274c6d333d44931c5d31b05b564e2ce54dee031e62b13d705478a114b5 SSDeep: 24576:cCkk+avB5AjXt1DxhlVnspE2WntqCogvIKBd:c9+mjXHn+eI4 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Wwb LK3j94MnP6.xlsx.locked | 58.77 KB |
MD5:
6a9d0a08dc1093d613109d39aefd10e2
SHA1: 11925f8424afecd767facbbce65e6d4649ab0528 SHA256: 792f726772e60802f143619a73077764932dd8cdbfc36d0e588234851ed1a788 SSDeep: 1536:h8uvD0t/AroQy5mFiTgfibsJbS9koj8WXuBpkwjQ1z72:hFvDQYPFqgfigJbcz1oCwgG |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ZWXqn_jC-RcYRb 637vj.pptx.locked | 3.42 KB |
MD5:
54f336a9d04b1e846e2efbdde63db05e
SHA1: e4fb03cb5a9e5923821018a40f058a4b2e0e41ed SHA256: 806f31b7a3969b65c01c6e0aa73c4ba42db17a14e2cbf40f8c752e85f7ca63a5 SSDeep: 96:MFRRh7bG6LPj9SxKAx/wSg6uLSJGK5r8rCRw:wRv7tjgb4S2Lq/S4w |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ZWXqn_jC-RcYRb 637vj.pptx | 0.98 MB |
MD5:
2300b1179251175850397ea1ec7c2922
SHA1: 4a379f85791b01ebf94dfe7d1559dc233e8d923a SHA256: 5a5e6f3a14a009e300364c44e6aafbe32f6786365b8ace959a596cbe4c809e9b SSDeep: 12288:63LokcfwXR0JUR/pb4unJzhnv4RivdwplkIOSTygQiEXKX7lpjmMavNddU2CIYPJ:67oLfOptNvGilylvTya5aHdU2CSSiG |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\_3edhO843d6n2.pptx.locked | 20.83 KB |
MD5:
0d2d3e4e877350dbccf5619f55938d44
SHA1: b593fa5d5b149e158cc108727f8f26d1216e2be4 SHA256: 81cf375698a423ba808e74155bea51d0634ee3e865ecb0f5675a0f97dd65dbd1 SSDeep: 384:bbEfjIdjWofhk0Et6sFaRlTdRMqtJKxXf/cRI5tZK65LylCyFVxdMRmRzKcRLPJb:bddiKhk046sFelEqWp8R365LoVxdM8LF |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\b3pQdKWSVAGMlHxmHP.docx.locked | 69.04 KB |
MD5:
490f1af5d24885b55b708bac74c72350
SHA1: d901ce6804709043330feb48eb78a7eff8505907 SHA256: 9d4da0d0184ffbf14f03ccf325c974ef827b8ea0467ec7a69295347690389c5b SSDeep: 1536:6ES27qLhFYOzSKTG+Y+m4Vk60hLz1Xntw0AZh8JiB+zIFtVr:F70hKOuKTGYVk6S1Xntw7Zh4c+Qfr |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\b3pQdKWSVAGMlHxmHP.docx | 0.98 MB |
MD5:
e318737a955812dbf0d7210b65fce52a
SHA1: e9b476db0f3587ee3dfa6611cb17f016c66793cd SHA256: 94552d6fdfc8639787866c1c2f0cee96a1f11b02554811953c6c8a16dd9d271c SSDeep: 24576:U7i9QJYnm8U1NnUHmSQqpjwgTg//o5tD9oFFdSDg:CTyDpx00hI1 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\dugWQq.pptx.locked | 67.36 KB |
MD5:
43b19100d588fb837414912db64204b7
SHA1: 82daf403d922037e7113d92a61b908ce4c197dfd SHA256: a4310d9c1b0e7a3f9b4c1052d23db95a44b904947269c9390f7a59fc5114d852 SSDeep: 1536:XQxbxzJX52rE3zc+iuSkZvwUj5roX0rkju5zHpPt7IMkEhdS9bkRk25mo:ab5xMre7i2Iwhkju9H5FIMkUGho |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\dugWQq.pptx | 0.98 MB |
MD5:
407c4876445d89b0a8d986c5b27462a7
SHA1: 871fda75f90b814d585e436df13e9206552b0ee5 SHA256: 775939ee2d243036b7313895a7280e90476bca6e61d0c2e8a2aaf0d711a20cf5 SSDeep: 24576:8Etm4C1LkvLh9JfhFMCAbmX08nvZrT9wO1SDVQVUaK:8ApMPaFjlK |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\e34RV1owXwdn9\6kCkH9bq9Z0EKK.ots.locked | 68.64 KB |
MD5:
ce7638b3e9372b159d85b718061b974a
SHA1: 85dac45ab65b4020f209d5dc3a4f7ebd178634c5 SHA256: 1026e09642004108f1bd21e926a9de70521b3e12bbf973bd75e384ef20e88585 SSDeep: 1536:XkNjA7S+zjsURs+oPgiCDGZ+I1S0BQ0RSLzf9kyslnfxP:UW7W4ni00BQ08zfiyslnf1 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\e34RV1owXwdn9\6kCkH9bq9Z0EKK.ots | 0.98 MB |
MD5:
6df171ddb2dc87ada3790cc51bf5f788
SHA1: 88644d51d134409ef9bb5a4e17304f7d87f5a5b0 SHA256: 39e82ac9569b0645df10de615c378de648d46da37861ee9cee8bfa678557a704 SSDeep: 24576:cviO0jzHT2mDhPjo/jGncRsouvyKplQ9nwZ:/9yjiv |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\e34RV1owXwdn9\JgDjmwx dpNNCt.pdf.locked | 28.34 KB |
MD5:
60a27ed9e30d7c64b48ec8159013858c
SHA1: 7008e548ad43042874eb08024c66beb919727d7f SHA256: 436731790361f088b571c5e46278aea6901d2a0f441ab4e794445f6490e9a442 SSDeep: 768:Ksguwh2oKOl7a0MRcjqNmyF0Boh1V6zLTpgKy97F5:hAhl7a0jyF0Bi1oyKy97F5 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\e34RV1owXwdn9\JgDjmwx dpNNCt.pdf | 0.98 MB |
MD5:
4785aa9c9686aa92844f1656dc4f06fd
SHA1: fcc6040d823850cd2ddc3ce3c24aa92b33efd89d SHA256: 1aa32e92d4e230a9e9a2160461bd9968ecf23069b21b82ed44f8d03668459b29 SSDeep: 24576:r2MUnVyEU7t9myos9QpuOgWv5O9J+m0HOrZSIao+QI3Mx:GoqHSWRI2O |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\e34RV1owXwdn9\ZscHZDJ1hKDGY.pps.locked | 68.39 KB |
MD5:
7833482bbc1b73e363421607ddd40832
SHA1: 5342f551776b78e4da8291af0a18867082db94cf SHA256: 5902cb0cb115d52b2835edd00abf1942e451d788666fa52a0cf4166dc1ccb738 SSDeep: 1536:JXWB2rSQ+NG8TepmZTa+jqtQ9wDYpMqGWlycS0FLx5Bu/j:lhuDypCPjqtQYYRgcS0FLx5Bu/j |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\e34RV1owXwdn9\ZscHZDJ1hKDGY.pps | 0.98 MB |
MD5:
8eca8cd444aa1eab82d58246fba48694
SHA1: 984afb12060d31235b777217bc9d8e54e19e1d1c SHA256: f48bbb0aeef5abc3de40148244223e603a77d31e2e591485d8ce03c731818b7b SSDeep: 24576:4uNOVp4wS1laxPsnstFZhin5WRXNZhkFaxCMR:uWL1YxPnvtaAr |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\e34RV1owXwdn9\bQRxFeoT.odt.locked | 42.66 KB |
MD5:
61b5b2090cfdd40369d1bb466ea30889
SHA1: 67510a3226f49b95f315f73784d231b94320de41 SHA256: 5d5dbd653dd27b4562f1209a38a7a3f2309ddc827b8cb160ecbbb7d54aff23b3 SSDeep: 768:SeiigGWC+PJnfsdGC/wC3AbCNQhkiMzGhPVFTaKYwtvP547mN7Su7S4nD/6sx95N:IdGBCfOB4CNQhx12mNeu7BnWsbkTy |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\e34RV1owXwdn9\bQRxFeoT.odt | 0.98 MB |
MD5:
be28be8a4850d73108a1bcc8f8491596
SHA1: fd36e428758e94a6963bc4561efbdf6d56f35821 SHA256: 3715a48221ce31811a2ce2eb9ce4384f7debb61e8e0dd08b1ae5e3476c03b11e SSDeep: 24576:wq4N0k03XDJCaK2x9omc6g4i4gSmClxyb:e684fMb |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\e34RV1owXwdn9\e7jktwAzMIP7-i51u.odt.locked | 8.44 KB |
MD5:
204c57b0e3d5f7138cb9a7702c435ec1
SHA1: 2b76377765aff13e92cb73b7de2bbbe2a3350cf5 SHA256: b95de1423f73394852519a216b16b90ee2f047c8b6f504a99cf4dc86ab2495bf SSDeep: 192:22N9mozcIPS1Uiep+vNNSzy4wk7/njnFAUvF:ZmogIPBWTSzbpP72MF |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\e34RV1owXwdn9\e7jktwAzMIP7-i51u.odt | 0.98 MB |
MD5:
5a6a5244aeae430d82c826f232ef693a
SHA1: 6c2f36e84fb15aa66b49f19cf59c859a286e8614 SHA256: 005d996eedfda27728a97aef7e1b751cb13f406b290cdd76a3805f48d56c4b99 SSDeep: 24576:0I6ohBlO0LApfF2TfXiqzzktX+Pn93v8gXwW:l6oMoviSf3 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gt7FMXw.xlsx.locked | 29.44 KB |
MD5:
927b8e2dc1f350070354d7e20a150497
SHA1: f74fb72df3a9c543b235d8a8442f26081c355bf6 SHA256: 9a460fa1998c059f8eb8b79f5f5191d0af3492aad4e2b28ca8236b89393fe66f SSDeep: 768:d9dw5tA8tF1TXSamEQYOjoba5prsTNJ99tjkCk6O6EbY0CUll:Hd4jKEQDl5peNJ97wCpOJ0q3 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gt7FMXw.xlsx | 0.98 MB |
MD5:
0c8719c1808c0f6561bd11e78c9f78ca
SHA1: 11fdf9d2838683e2c67f7d9cc4fb256ce06b10a5 SHA256: 596586602b1b192a47e0cd03d1dcb0a179b71c5a30c559e80d41b615edad3f87 SSDeep: 12288:A8h6hKM1jrMihej60J4cvhHorri3eu/mwCaUBdmEGKhg6nsIbKjL6fN4bPcVCK5x:ALWcej6Bu6vBgih9sIPUEV/5PZn7 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lvnpUtkIx63C1rzbXRhw.docx.locked | 89.93 KB |
MD5:
a86787c1b30fc0bbc602f37ad859a925
SHA1: bffdf8ce866494d72149bc2dfb0ee26aea3e0ed8 SHA256: c380a0f3a8dbadacb18367b40041266bd2068cae2843ac4dab218920eebf6947 SSDeep: 1536:AKslZMQ21JjwdmwJbepOam8i0F6uY7Rh3bSDiAyU25O5Zbp/BFMMzSh2dIWaf62q:AbZx2Hnw1tj8rFTQLnjU2kJBFnzDdP4m |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lvnpUtkIx63C1rzbXRhw.docx | 0.98 MB |
MD5:
f164dcea9f54c8c7f50ae63ee1618c7e
SHA1: 19a4fd3858137f0693543c36ba1e2cd13a7b1500 SHA256: 215be542c07ab703781539340dc69031bd531e5e3dc73f583a7abc8d2bb021f9 SSDeep: 24576:VvpCHMP9IoWdu0+v5nKSB068xvFPKP6cnNUQA6h3:O/YvRBWvFZcNl9 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\uddpH51fz2A7yQPy3.docx.locked | 5.59 KB |
MD5:
4d375fc9da605bf170c4e5c91d2b8f7b
SHA1: 7c7278dbaefb32775811919b782d8f772b1f9f14 SHA256: 0cd548292e61681bf99d7e44991d4a4fd4d856efabc9df6a6bec95155a293002 SSDeep: 96:708EDa519tbnJcm7el8vt+iFr7DhB1I1jXD/pJvbBuj7yLQyrMgLsIQk1BawViKP:70Ef9tbnJGW9b1I9/BrjQkJVHF6Q9 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\uddpH51fz2A7yQPy3.docx | 0.98 MB |
MD5:
4c8332f454aa5b35eefbdd255de60ef3
SHA1: 81ea45e047596b7195bf4278d34d0d340ef0ff84 SHA256: 0c570ad0fa1c45e1a294c7ccb6e3c42c826068b931e4d72397393518f4cb00ff SSDeep: 12288:npMu/uGsI+CrOHqHmYUfOQSpzx1KT4onDhRDIYQ2HQh4zq4dCPnbQjU12VxoUozC:2C+wbmBWDsxnDb9Qh4+40UV2Us5DhY |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\zZZC0cmO vW08IPLyF\Bqf77uf1A55AN8jmxE0.docx.locked | 61.70 KB |
MD5:
8ffcd20c42350a091de3ac8fd6b5bddc
SHA1: 6f617e03ef0be4879cf64e16590b44b98db54477 SHA256: ddfbc89b4f0951da116b9950c296d3d22f9da3633949f20efa23dbc61f817aad SSDeep: 1536:PIg0/1D1tgD41soC+vNOIcCmmFAQDV65GpUTrWb:y/1y4SoScbRpUTru |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\zZZC0cmO vW08IPLyF\Bqf77uf1A55AN8jmxE0.docx | 0.98 MB |
MD5:
6fc013d16668387b2c6ec7442bfba614
SHA1: deb79c46e4be4dece3c55eae6e0cfbd356d62924 SHA256: ee3f98897c5760bd27eadb2a3b4530288f42874b71dd1aa0e0854dcd9a767760 SSDeep: 24576:OUiPAsp/sG+HXghwGS08JkDCM8HqFYoH1WGJuK4:OVjmF1tXM8MnX4 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\zZZC0cmO vW08IPLyF\LlnXf.xls.locked | 42.02 KB |
MD5:
169bab334b375df01098a61837e52372
SHA1: bd2a76e5625afad6111af5f7ea790d10cd1b6d88 SHA256: d99a2c6af815a43acd5fb17fa800837fc6901413192ce5c12be6a45ef0d08af0 SSDeep: 768:1EVD6Sgj2KDDIjOC6yGEXYdiehPVhRcf9nrngTfdObbFZN9yvN3Kii2:2DZa2gsCCLC5dxY9n+V67NAvwii2 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\zZZC0cmO vW08IPLyF\LlnXf.xls | 0.98 MB |
MD5:
fe4ae688f32020c9452bc754c7955171
SHA1: 9e5413568dce81765c5b40a5e3b89b9c09b5fec2 SHA256: b003ad27256b46a3e6528884eefdb13eb1c895f8472a3edeb7d1e1859aa61036 SSDeep: 24576:lk1jt0bA9n4HGRrXRr0xIFTQsRDLFrfEB1C3UOvvzPnY3:ln09nbBhrMTC3UOvvzA |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\zZZC0cmO vW08IPLyF\RuF fqkFm-urxCQfPr0I.ppt | 0.98 MB |
MD5:
92b38a33904986d4d82d0e0d9736f7ae
SHA1: ed481acb7228f980db3774078f5e16eb17511e65 SHA256: f322b854cbdf70c3351dc6fa838db9711ed861462e0923aa41ef4569bb063a37 SSDeep: 24576:Mdi9s8KvE3pQPT3QWyxTC8Aew4vKPaq8CtLI+wRpjwq:uuBqcT4qPwq |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\zZZC0cmO vW08IPLyF\blGRvAO.pps.locked | 20.84 KB |
MD5:
5321f032fd9a293576e03645c271ffd5
SHA1: c55cc4dbbc566a7e14a4349d4b0f46db16e4016d SHA256: 024f0c8d114e313c8b301623a225ab523ab4ee772c2bc6696c972098a802b6c0 SSDeep: 384:L2rdMUxoPi1geFAxZEvXTC+V3Q6AEYpFrvPnzaLI486SVvLSZld0b5hU2j4:Shxo3eFyEv/35AJbnmh87LSZT0TUx |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\zZZC0cmO vW08IPLyF\blGRvAO.pps | 0.98 MB |
MD5:
bfcbb2502c4b0e8832d6fb4268b2b47c
SHA1: 57e806234136aa1e1aad70c2e0932afbbbf3cfe2 SHA256: 7209f42daf23032d669472c6d9051b5cd619e28e4ed49c4e8c7777082551aedc SSDeep: 24576:BFalWbtbng0cJDtQxz3lOnaYaY1+HGkEOV:B3uMIaYu |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\zZZC0cmO vW08IPLyF\hTL2X-ua0.xlsx.locked | 76.78 KB |
MD5:
493a8b4292268fb3d1ef12d141835982
SHA1: 530216b839555d78d9ede97910f5548de05bed90 SHA256: 8688af59e6b3bf5d001387606842471080decfddd4b0b18bfaeccef0be123afc SSDeep: 1536:wwtvED4ehOJv1D44Vcf9uUeiRk4hmr8fQY4z/WRTqP/H9Um2q8uO:wwtOO5BVwwwzoSmb83 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\zZZC0cmO vW08IPLyF\zxy1zpsMEyu9i-oEm\izAPhrCo5geU NpBp.pdf.locked | 29.80 KB |
MD5:
418505e58c91fdff874e006433666a4f
SHA1: 8657a58142d6582fce7b8418c1703f2f6ad5d9e9 SHA256: 036fd60d4d67b87d19b769258d13bf322718928b7472a5f7ab4f73337c374359 SSDeep: 768:Qk8QNGQmeCPIfk2/HKCq6ZhaHg3greCOSXRIX5xPTXowDrjAhDGQ8IQk:QTWUsphZ8epSBU5RT4DGk |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\zZZC0cmO vW08IPLyF\zxy1zpsMEyu9i-oEm\izAPhrCo5geU NpBp.pdf | 0.98 MB |
MD5:
5aee39ed083bbc4fa146dab302270358
SHA1: 6eb56cbd9944e2a62a70fa37b0462318447458b2 SHA256: 6ef28bb4213ec85271dbb520dc46ecfdcfccd60ee4452b0c6b63f40693da18dc SSDeep: 24576:z3WT5D40A7sqGOxKkvbRhTXOPsKntUczISAwb1OLQZjh:ZhCslItZt |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\071XbJ\4kudbYFod536W.mp3 | 0.98 MB |
MD5:
8dacd291bfd34a8acf9894b69b764b9f
SHA1: 96a887c0bcecc4bd2b724f2e69b908bd6c2e1c79 SHA256: 3a52908180c35ec053532ba958fda5ff680ad64bd4a157c9695b633190173c3c SSDeep: 24576:xaAD7p0W+XamfEk8UD5eN064A6u/SV3nnXHH:Fnzm8QcmH |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\071XbJ\6y9cXxGS3Ie6eS9MzHg.mp3 | 0.98 MB |
MD5:
2e5dd75988ebc776cabec3b74209432c
SHA1: ea8280b05400d613b4c78714bc4ccc3c0d8aa41b SHA256: 870cfd6d3ba5e2fb9a08e7f62a5c2eb85fc75fcc360be370d9f76ccedb7eeb75 SSDeep: 24576:psi/qe9EO+KMUE0HaQNQeNK1jYLorqs4T:psqzXNyY+8 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\071XbJ\Kql5D AvlhFAAIgIXG.mp3.locked | 29.56 KB |
MD5:
4977b13f30d02691f2b4369032e979c5
SHA1: 9b9f2e5196df70de783510a4f5dc4cb8b5d6347f SHA256: 788e3631fc6f6df5fc5e6fc3fbee5062016165f865fdf384fe75710a20eedc54 SSDeep: 768:1vLZL15ol+fsS4ykQSD5Wm+yLbj4++8FkXiJ1h9Ljz:1vVLcldy5Mhv4++gRJPz |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\071XbJ\R_LtNbRdhxzRBemmy\SbedjKy53aXL.mp3.locked | 23.50 KB |
MD5:
0871dcafa6b817b18ae466f8f3906649
SHA1: d1223c16553463da35d6f0c04c7f23841551a7d9 SHA256: 9478abbe137570add486b6ff462573f4a953cb8ce680749f9794f5b572fee741 SSDeep: 384:EeQxOeOaZ9Sg5ijC63ZABZN9EmBBTv4g8uzDVjR2EALD7kJn6wRNRF/r0+rjfVQz:EeQod10N2mn74g8cVWkJFRjtrrbNEOx2 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\071XbJ\R_LtNbRdhxzRBemmy\SbedjKy53aXL.mp3 | 0.98 MB |
MD5:
14e44be9173cbcfcea7d21248a08e1dd
SHA1: 9dc54a3f2dafeae1fd9713630aec7596e78637cd SHA256: decbfaf58b4241a6e06b3819b5dd3005481f0d44edad11cb57f0d05a557ae1fb SSDeep: 24576:B91dcdTYPjoy8L3aKTT0E80Vi/UYw3NYjkgS1qKDg:P1CLALJA84g |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\071XbJ\R_LtNbRdhxzRBemmy\dOTEpDsxVXbKTz9_o.mp3.locked | 15.76 KB |
MD5:
b03d010a8a42f6256abb39a20c9d1ff3
SHA1: 9187272e48d8f7f4c70b4858ab6d03b06ae8fa2c SHA256: 0748a3010a3f5b7291ba4a489ed9c7319abf6ed82eae77851fb471f93b68adcd SSDeep: 384:stn2hxhcdu+Oo5KSEst864FFbw9uA31lsmIADjLD:EQcd7Oo52i86giuA31TPjH |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\071XbJ\R_LtNbRdhxzRBemmy\dlez1\56jXG_rUP2Pu7xpB-7.wav.locked | 46.11 KB |
MD5:
b59f1bb6d8c3ac4e7fc0852691bc4b4e
SHA1: 9af8ee2ebb7b6d81f418c2cc859365c01986bc7b SHA256: 8646e2c4a142e39fec32f56e0156f6358d72ec1d0f96fd2f5daf4b665f923e0e SSDeep: 768:6spwYcC4VFbrP23qV9BWVX8TexoxoFXSqs7iPV0hkmXNu+oaWvibPCWFus/p3O:sYcdZCMTex+oFXSqOiPV0hkmXNu+oajc |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\071XbJ\R_LtNbRdhxzRBemmy\dlez1\JhyKkJx_QpfYC.mp3.locked | 73.82 KB |
MD5:
071d0c08cece0ad32136fb32da8ef289
SHA1: c82ed29acf8f3ad83e9adb75b28d4cc8ba367d09 SHA256: e08687c9014b0e43de567d792d48c38340e4e747c7ba43c72170917206a47f3b SSDeep: 1536:s/3ywiAiA/gwXQJjlDGuAj1qB5gniAuY8rpLOyk/GWXOGf90Rrm5iDIViKG:s/vtgqQvyFqB59PDLu/GWXOGVFrVVG |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\071XbJ\R_LtNbRdhxzRBemmy\dlez1\JhyKkJx_QpfYC.mp3 | 0.98 MB |
MD5:
7785ac7779a7c71a0aadf3d526f64dc8
SHA1: 91dca0c71ff1454106eb5b881e05eff11ca1406f SHA256: 68bb4c3ef6b6042b640a0634ceefdc95dda3aa12b942591ff04696633c36e81b SSDeep: 24576:rVpOTvU0RCCo8kZcH2+g/FC32vnpVEjWJcqddQgmkXPHstAl:r78mNCcfpmaEtI |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\071XbJ\R_LtNbRdhxzRBemmy\dlez1\QIy9IyIY-0h7uwPYNL0R.wav.locked | 38.00 KB |
MD5:
ebf0caafd2ae6dfdd7b933aa70ded75b
SHA1: 6af3f1e3628e3a69d52122789fbdc7541d1f1c1c SHA256: 9fa3103463a4238e4f855607a33d91dcddfdfd9d05213cce0a0ba95a8016ee8f SSDeep: 768:MpmBCWxp0fa9XFNrLmOV6Ni4QhcA9xglzhS6L23C+QV/SRaTY0QJ:EyCqs6XFNsi4QCdhDLKQTY/J |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\071XbJ\R_LtNbRdhxzRBemmy\dlez1\QIy9IyIY-0h7uwPYNL0R.wav | 0.98 MB |
MD5:
4b0f2bc2b4bee42e5258523c14a7e1b0
SHA1: 1a404c698b2519102a6efda3fe2dc18443970179 SHA256: 1e42fee0128994d72f8e54f9c2fa9fe43b01bf06dab9480a49dba4d08248738e SSDeep: 12288:7q40dqs5FlCvktMIQKrqDRq6ACEOlfO5FODGzMDWwywI3x4Msam+LEN60clc4RqP:7qnlcgrqDcpCn4FcGQGel4RqPCP6 |
|
|
| C:\README.html | 3.09 KB |
MD5:
064f0cacfbaa70afc3b11197c2874f3d
SHA1: 5c46a8b49d1c13519968977c91107783bd3da968 SHA256: 08bc4fa56faf2ba193480a0f6daf3cbf86649966048b0a556b48f80eb3b54082 SSDeep: 48:TGuuHVzzn521hu8VpYUhg2Pco3uKGFUDPw64VJ5EZ81AxEjzdJvhVY:TGuuHZz52Thg0gjF4Pw6i6sTHdO |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\071XbJ\R_LtNbRdhxzRBemmy\dlez1\gLDnq5k8FqlCxMD\1n9mZlXtVJQa.mp3.locked | 68.72 KB |
MD5:
693aece3b9d33fd18721980ad5224051
SHA1: 47b318196b92fe4838f47151c22162a352bc6374 SHA256: a30ce7ebad863bdbe2d997a873d3dc185ed33e95d3d9252bb049b2a1133bcbb8 SSDeep: 1536:5pJu+JYjlIiY9CRFV3oXH+dPuUD+J0Ktu3iBV3KP4/Hu2Sj88QrtBv:5Lnqm9CRFmX+dPouKSiBBKP4/Hu2SgBX |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\071XbJ\R_LtNbRdhxzRBemmy\dlez1\gLDnq5k8FqlCxMD\1n9mZlXtVJQa.mp3 | 0.98 MB |
MD5:
f62a0c97819e9f325d9b3e9e3ba600a5
SHA1: d034a26cdff61a9b8caeb2c783bff861e8436849 SHA256: 9fd3e28c39a19238d3d1eed39348236f0745e0d83140ce049201cc79eadb2ddf SSDeep: 12288:g4XjWQqfzMsia7rpDCx6Jfj49S6Ct34al3pbeBGP5NeIQZbIdf+1RLnSgw/7Rd7J:g452P3IP7al5KIN/QadfMO/fSq |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact.locked | 1.27 KB |
MD5:
247fe53e2ac2603d814b84b5bc8871f4
SHA1: fcaf9c99175c73eccbbdc55c2ed87a33b73654de SHA256: ffb37ef4233f8e23995974f55f380ef59bf2714aba7256441e0e828ad38da81a SSDeep: 24:BNWKN4dD9e4WIMl27genT/rW7rNgbP1fMo62NtWi0g7dnuDFZ3AXIS8f:BNWC4NkpeHOJgbWo6El0ghnuDTQQf |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact | 0.98 MB |
MD5:
688545cacbfec6defd6b9ce889a61b7a
SHA1: aec06d7495dd5f5c76be206318c29f2d84845d6c SHA256: e7c96496cf8191cdbb7a40c5e4c0fb842ab275121768a7f6d370bf1db08f9a21 SSDeep: 24576:Ap8n5pubNXYwZHsInY3aVgcKCWMFpFt9KI1Pq6QCKm:W/ow10aV9FhrsE |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact.locked | 1.27 KB |
MD5:
4b134a6e85af9828dcbfb9d9bab425a5
SHA1: 99f92f9f1d151a44ee0fe31e907e3e5cb5866ec8 SHA256: 758912595f24214dbdda42cfd05becc012bf026b0508011fc1bf22ee7654edf9 SSDeep: 24:Xx8GWKdoN9wa7X2DaFNCA3uU1JVqt3xs05+dJ19Q4vni5g1G2+:XuKqO0mSNCA51qtq0wTH1V+ |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\5ft3t_kQuOq_IXeynI9.png | 0.98 MB |
MD5:
1341d7935935be23700b7ec9b2e63b3d
SHA1: 42ab8978f1e36ec0addc4ac56a77c1a3ec17decc SHA256: d4a920168e102c5188c1e82c71839deed304ad9560efb892148967cbc59ea08f SSDeep: 24576:Olh8AJbH+aFIswsnqzytAZlFUaGiDmEN/op:OxJj+aNqbmp |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\BB3EjVzP-y.mp3.locked | 68.15 KB |
MD5:
e7f63224a0e9fd8c76f63b115d1fc26a
SHA1: cfe36c071da6ede6216c5cea0337a9b97c22206d SHA256: 624ec4e53dd379bd6085bd58b9f58021ed3e3c9a031fef6cb5bb34b9438769bd SSDeep: 1536:ctUIQHxydu9oNrUA+qQ0XxbY8IfmsNOPzFYqzrVgNulEby8:ctCHxwQoNQAU0XxbYhfmTYyrY5 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\BB3EjVzP-y.mp3 | 0.98 MB |
MD5:
ee4d0b335a0315b53291cf74ffb65361
SHA1: 0e5b62aba8794bb33020271283117b2ffd303f29 SHA256: f3fd49516b8819a0ce5b44fae9593121c9af01c5098a8618264031220247b85b SSDeep: 24576:Jhgv8EgycrzUp/TJmly+KNDRJ8vtETFNmWslrEld:JE42EQdNmWZd |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\I8YLdLjiG.mkv | 0.98 MB |
MD5:
72b7e8e1278e7d50646725b516e4e119
SHA1: 6b82c0627fa0860aa40bbb5170e724bf17d341d8 SHA256: 859bf8685a73f71860e647dc42847bc646d82070690d7f84f3a63b0a1dcadfb0 SSDeep: 24576:cuq8/nQ/rChTfpurYoGNGyWGS9Q6rcAk/56RifOZH:xUreZgGbsRTd |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\YvYs.gif.locked | 28.12 KB |
MD5:
9b2cfd38f169196aa329b420706d2c8e
SHA1: e819bd9b8a8ed68a01e8ea7db24ebb3476303430 SHA256: 4a75481823a997f6dd743eeab0e18543856966f6c3b44ed6dd6a05ed751e3f4a SSDeep: 768:MM1KhR+spAtx4qfbcyBEpr1bMkz51WXoPeNm:MzR+spKTYyOplMkzBPh |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ihBRwI9DVtya7Z.pptx.locked | 95.33 KB |
MD5:
00fe6ffe78d5ab7541e6f9794dc4df8f
SHA1: 4dec941d680c95936add76c0fa34271bda90d32e SHA256: e60e5d998a2653a86883608d0f058c29a9e0c8ab24548eaff70a2eccb016aaa3 SSDeep: 1536:TWpbGMVLSefl3dta/EZZiJqkEqB4dSH4QajK6Sj1EuMegvgeL/CTalAAg1UqJayN:SGI7fldqEZZiJqnqB5MjEpKgeuOlAtee |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ihBRwI9DVtya7Z.pptx | 0.98 MB |
MD5:
369e6513f070cbc9876c5a9b98ca18e1
SHA1: e56893b753b61c3d306c44c48d7d3be1f7808b0a SHA256: 698b52b2d48e957e4e252686c0c9e00f21f7eb5207b5f668a2e5606abd3ab908 SSDeep: 24576:o8CqVoepA+Kq+qd4weFLoqzWm/Qj92MgeWv1:Yepn+3nk8Q5I1 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jOgQ2vmu\RYzmia1V.mp3 | 0.98 MB |
MD5:
c8abd1c67476779a6dabf454790c2e90
SHA1: ad708f76ed1f86a22af7e6efb30d462f2b05a66f SHA256: 0af4b31142d21ce7729e7668d026707addab69d52611fc1f7d6a35e92cf1ad4f SSDeep: 24576:R9NmcK7Aae6MYAI1fYuZcsJPpo82BGQ6OP55:xdWAJ6Mu2uxpI |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jOgQ2vmu\_cxpP.mkv.locked | 42.70 KB |
MD5:
d90b55b2b45e884e98cf80720a08d97b
SHA1: 0f61ae0d412c9fa93deaa1634b8daab532bc2ca0 SHA256: 478948a8f9ca181beef2142424f9c7d54b24c325da5d5b2b5bbcc9c8a669ce49 SSDeep: 768:oMTImAxruNgl32xDLCVADQwydHtNKB2sEAyVUT/rd+Khl:x0txRx6L6ADQFHtNKB2sEZ4YY |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jOgQ2vmu\m26Dpmh_oT.bmp | 0.98 MB |
MD5:
a2b29b0f284a9f794f8ec82f1cd7e80c
SHA1: 6d43f3d180be76febc1978d39a13098c363dbd41 SHA256: 3e74859b413b65eb4a9eb35d48ed8b4ce813a8d9bd385d64c4d30e29272a66e0 SSDeep: 24576:xQHAxZ/lbVzBSui5z5qazjvt4cFGMdovWdt:aaUVzMw |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jOgQ2vmu\pNpGn.bmp | 0.98 MB |
MD5:
79d46ba2cedec22f810735bf4d21e05c
SHA1: 966ef5b4efaa48116adb7567665657a05ffac5da SHA256: bc1fcab0b8a7ecb96d0ddc9ceb1ef357f8f5fe7440d04a29824ed506056d0ac5 SSDeep: 24576:ChiLAIywaip/S2br2ztu49zTJAzrPqKYlTSxKuGrIz:jyeSlzc6RAzwSJ |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\tFeuNNoFgT3OFYmqmD4.wav | 0.98 MB |
MD5:
b8da8a1664bcd4e9d11573dca501540a
SHA1: 892c320feaf2a53b0f7e741ffdbd247d1af5cd9f SHA256: 6c0078a0c951a11316040cab491d0ffb84c8a03e4efccedd70d8e042e807dabd SSDeep: 24576:INzYz3mgjUPStC84eNsZGROc42X+Jd0rZEa7ILgWxQOuMs:ITQdl/t7x2i |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ua-gd3_2Lr0.png.locked | 88.47 KB |
MD5:
78bebfad6cfc41be609eca7d5c86b23a
SHA1: a38748d9d17efea54699f45381bfdb857874ce77 SHA256: c85a7f640294e21c366d7d4956a662e0f137ffab8320e36613e4c6a45311b350 SSDeep: 1536:3NsbsxPFHzpfOFEi8THfByTvqfmw7w3ETAO2ZF5hYdpWtgnQe2WQJ:uoxPFTk8HfsTmmw7YETeZvhYqOnG |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\vFj8enUSau3xYExaO.wav.locked | 62.75 KB |
MD5:
15e6e61a78b5b5c6b298d613302d082d
SHA1: 5ebd7239b4e97df626b08255c2b25e0bd4b9611b SHA256: e0f69449ff6cd11d7bfa0412996346183d52c393c153afd08fa65cc0dfffa008 SSDeep: 1536:XVvjW3UOx1IYXgj9/aArmW/f/A35OO8aN8XvlTP:pW3UOx1IGgMArmW/HA35OO8auXvlTP |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\vFj8enUSau3xYExaO.wav | 0.98 MB |
MD5:
c0757b1dd2dd879cfd3d682b2741fd76
SHA1: 5ca0508acbf8c93cb60ea6ccc9d4edca3eabdb12 SHA256: 05323bf63e011776268e785545c31e39d48d0f69325d4c79a8593de94e010379 SSDeep: 12288:/fEjawTdWo6MS7oi3WoUn46zE8yTJ7ZT73zuunX4A3JloKOt+HxQeuQYBi0U1Fjm:/c/gBk/oQzm3quI6qAHSlQzjxbu+I |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\5uaSR9B ZuPf1BTfff.odp | 0.98 MB |
MD5:
0dec3ab023b754bf9d33c8318d3ad269
SHA1: 2508bd0b60992b8fbeb6f9132dd2e6aca9856493 SHA256: f31c1b673a8f6f9dd0a36d1121afd5adcf8efd8f53e1f9925eb0cfd2778e412d SSDeep: 24576:o8Wp7vswEVEA0/n64y0FGIjHV1nK2UMIGOOtHAVVA:kWhFIbnHU3bA |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\92_SxvMwhaREWv_iEiv\BbPNjGtemOLJJ4CRkVP.xlsx | 0.98 MB |
MD5:
b6304a50cce351aeb33832f23995f95b
SHA1: d2d672cadae4a7b821bb24e93386575ab048e45d SHA256: b498b89533b77c42d2080bd28d55a1ec3464da133557e4584fc0a043dec3fabf SSDeep: 24576:QekQzNtFtkZo7TfW0HRyjKbknSPZiEu2PeisbhDY:dHXV6aIFbhk |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\L90N\6iZpuv3BJu3uhtMtnn8j.rtf | 0.98 MB |
MD5:
97510156002de234793e2be4743ffd75
SHA1: a70a811633fccb1fcc2437e313c845153d527078 SHA256: f945e690bd3d5d6b2ff3108186196b4a28b31196c02fe6f34360ea80699735f1 SSDeep: 24576:O1u+JJgDNXlNF+KWtQFkCEDnviUNslN89yXbOh2qZnRG6ManxArXr:OClCG7vTjOh7+X |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\rBRyx6fXv755VE2eb\7pXJpJe.odt.locked | 20.21 KB |
MD5:
e3b44c241e530ed01404b4975c170a75
SHA1: a5bb8b8f45d432dad6a07f2ec2b8109b1823105a SHA256: 94282982fe665b9f4dfffae8f7fb7c76e85863f53fdfc241a64652d120af73cc SSDeep: 384:tZ557/0qJaWfD6LT87KLLB66WkN+di4zXlatONz5S9HBFvB3rGtu3H:tj578caWfD6PLLLB6amiYX4tONV4vB7t |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\rBRyx6fXv755VE2eb\GFEs.pps.locked | 26.42 KB |
MD5:
cd9f13414c472efcf420023de3d9395c
SHA1: 8e74c713e968ff1f40efac050ebc816319d2df72 SHA256: 868d5a8f6452c8a4dd3d1a5f1465a7cf7f3e0b2de0c9cd3aad16c3aefe36fd79 SSDeep: 768:W+GISJEmJMoxEobhNhp7t30AdRijpG+Fe8re1TD+jM:W+GISOm2o1gtG+FZwn+jM |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\rBRyx6fXv755VE2eb\XdnIlhat.pptx.locked | 75.85 KB |
MD5:
9540fe4a1f31ea8420941a99b7b392e8
SHA1: 2cf3a644823be6b0f1f4fdccc6ba5d6d9608a8a7 SHA256: b46da9f48ebeaf986d210339d1f936d0b2f6e3355ea304fe098f1ab9b21e1e74 SSDeep: 1536:3H8H+ttDY6o0WVNKn8V+yZoXnuzPEkqk/M6YTIV9b916uRWFa9w1pRmn:3u+tho0I8n8hoXuPEeM6BXR16uRWgEDU |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\rBRyx6fXv755VE2eb\XdnIlhat.pptx | 0.98 MB |
MD5:
8bc252c7a76a183a6f7906ca47e4fff0
SHA1: 6c287252456812b5acf172600c785b8794b13f7f SHA256: 0a28cb032ef184de4b34240fa896670616d2826e0dbd73adce559bcca9ee8a05 SSDeep: 24576:oU/ahs0SJnS1oWIP3ZvIvw8wBSBJ02hP53QNdpSCRs:mqnSTQW1hPc2 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\znj4GRNLu Ef_g3D4bC.csv.locked | 80.55 KB |
MD5:
0199cf37bbb70b07719a41e4c426cc71
SHA1: f810c46f69e0cc32ba61eafdbdfb8d7ec78df801 SHA256: 226687ce7c08c4e7ae547312249a8423b53176a5d20803637be0698fbccc09f2 SSDeep: 1536:vON8C3Jz3g9uk9U7pIqKg08Zuy5TKfNsP7SZX1R6q1oNn8iyw1qYCj7guU1H4Rd5:mNrJk9ZbHg08BT+2jSZX1R6q1a8pMlCH |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BNZcRVrP4ZNbQtfNT_rY\znj4GRNLu Ef_g3D4bC.csv | 0.98 MB |
MD5:
b9f02f52ff64d3ed11c09d31ffe34a88
SHA1: 600deb8c9fbac75a56bf15b039cd0b12d3f7dc63 SHA256: f10ebe6e20786117e83c92018f2a2ebeb63e09ed0260a592abc55409932023a9 SSDeep: 24576:cKMAhkVekAEE54Te4S0pK+TrPc5q1RbR0:tX012xNBRCR90 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BQDECG7yW3K49TIHOfCx.pptx | 0.98 MB |
MD5:
5cf0ace9375b20197cc2acc45b0955b1
SHA1: 67c05eb8d53ffa706a3d16ed2ec68e3f8bdf77e1 SHA256: c533f8c760c975bb5603b51c14bc30812937b8dccf4b43310bb20e57cb595de1 SSDeep: 24576:1ud6ic+tEG8UMgVg2b6Uv0UHTIiLHRLi4Q9sMiH9dDpLRvV:81IiHTJLHDQYRV |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\FpBJs9T0l nBN.docx | 0.98 MB |
MD5:
657270d35bddddaae586025c6f093645
SHA1: 8d6f105c05b76159229631abf8e8ab5878a7979b SHA256: 78acdf19b89054c442059ba1470df4345cdfd8fb009ec2f2344a6788e07a0fc4 SSDeep: 12288:vX0iI1n/HcFHsD8QLeyuRREnOuNzkxY1Gp9CFwvcPRzHjBVMJM0NbMxXP4/RHt2y:M1tfzQujus29CFw0PRP3eZHLr79h |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\JD48gNU5dunhkE8.xlsx.locked | 85.02 KB |
MD5:
8440db3553ce95a328bed93e04ce041f
SHA1: 6276272ff921c2372b6b61af54407c865900b70a SHA256: bd4889b527135809130abfee8e4e72afa4ad2a6a9f8c7a555f6c110946dafcd0 SSDeep: 1536:CLLIipgfrp0NvgkdmNkoUJ/A2kVfWkWzmIAWJDeuVRZ4sILIFLP+on2+1:CL0ipgfWNvbIMAxeFmIAs9istFBZ |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst.locked | 265.12 KB |
MD5:
a66ed33012bb2b2de6a1dc88d7903e9b
SHA1: b4b5afa9a1dac3bc1e555690c5575d0c887c5c1c SHA256: 44de7c2990f20b5356e7125119064845d75dc509c049fb762fa5508047475f73 SSDeep: 6144:JRHg2bov82OHqcnEh3Nt2srPODOppgeeUk2tAzatxaibM3Ie:giyTPlNt2SOypuPMGViI3Ie |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\TWBNkQ26WWv\5Szp_wWr9PENCj1pF.odt | 0.98 MB |
MD5:
40ec831960eb513c0e60b56f4bb6146d
SHA1: 44c52e25c7ec7cd08a40b88f3666f88a3e3d560a SHA256: 880d08be83e6a22e3fdcfa540250d427926d0172c839f338f7eb8a67f685a7cb SSDeep: 24576:TmcWfdcokiCsihz8VroAAHO0c8OtVsiGXi7m9F:CxGT7qAj6Yi6 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\TWBNkQ26WWv\V7fxtVeHfHqqJ_txoS\Dp2TlVTx1xkc.doc.locked | 1.33 KB |
MD5:
51a58eda6c0de8f2ce5b81407bc179db
SHA1: 4b2f438135faa2ca9c92864328075ab29a928d69 SHA256: f43d5f683dfccf4913fd6d5b948c43b5a1032a5057d8610b69a0f3d7a56af57a SSDeep: 24:zIEKxi80yG5j/xZutX2j54GRU7HIYpfjdB+CPB60dLYXYJ+U9l8a5xeqrYsNUDO:zyir1QtGjmGCHHjdsM0sD9l8ahcO |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\TWBNkQ26WWv\V7fxtVeHfHqqJ_txoS\WkAG.ods.locked | 30.17 KB |
MD5:
633af7707a3eaa7120e306f2b0224b9c
SHA1: f4c33e36d8d84fdd06686430b13549dba9bbba9c SHA256: e46808baf8cd403824d6c7ee1b20f0d3f405fa074633ebe03f3677e329a95212 SSDeep: 768:XwRza8p3EzVqTqnjfzoNS0wYbO2sHMBW5pAK8ofBkjh5G8Qjt7U8bgh:XwRu8RuOOjwFZWIW558Ljn5QjtU8Eh |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\TWBNkQ26WWv\V7fxtVeHfHqqJ_txoS\cw88GojW.pps.locked | 19.73 KB |
MD5:
d38ac2dbca75561332d9b02029940fb7
SHA1: 86bc1eee3f61ee43721c3b7dfa4cd0325482df2f SHA256: c0df0e05f81c9b283a1d8666b64f282b55cfa8a7c3246f8209ced74fe82301f9 SSDeep: 384:jnQdDx4PEL64djAeGphGwQqR19wsXOeKKFW1hwIX5CK:kX6Ee4NiVQqRDw4fUhx5Z |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\TWBNkQ26WWv\V7fxtVeHfHqqJ_txoS\cw88GojW.pps | 0.98 MB |
MD5:
8b47664ba0d122d6fa47ad41a739e0dc
SHA1: e87805d9cca7b6139e3ff4d409c02e79c6c442b7 SHA256: 150fde1a17f2a6fceb893622174a1b3b98eaf3a31952eb2460e42eac0b2fda1c SSDeep: 24576:d+hi1Pselz1efT+RpJd+ugNmZHdVBN7EUBb6ak:k+lz1kTlau |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Wwb LK3j94MnP6.xlsx | 0.98 MB |
MD5:
6c11298f5f199cb546299b0c09bdcb21
SHA1: 622994f4119a15c477c8cd5b4c80a2b4adc0c513 SHA256: dcfc0fdd5ee42c62d14d167afec56cee909cb9e2bd7d0761246cd44193a47aaa SSDeep: 24576:9uvxCGwwBa5kIQTrwhE1NwVgsFyyYzodDiG0lEfQjfLK5W7d:ow6JwTGKDPW7d |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\_3edhO843d6n2.pptx | 0.98 MB |
MD5:
7c2edf2b988e3034c1262075757b07dd
SHA1: e8d5caaeac843fdae9dd492862824293a0458107 SHA256: 7aa71272ae5ecfb8b6db82b70421ac738051300bb3c0444266164bd374ccf5c3 SSDeep: 24576:RrukZZBaBQI/nEOoGwUnEdwsSls1sR+IOOjM:cGI/BfXJg |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\cQ3HZy-ljR_WZq8CsVX.odp.locked | 69.18 KB |
MD5:
3a2f7601d9b641d501c908ee6e17ca10
SHA1: fcb3f869b91483b3ecfd5fe37c501691de963257 SHA256: 77fdfd2b421cae21cea7368ff2669950c66a9b5414ff9fcacf5ebc7ffefefc25 SSDeep: 1536:UlaGFT41SgQVPYmWaczB6jGOzWSTIt6LC5/Tcw8y+R:WFT4sguWac16jx2DWR |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\cQ3HZy-ljR_WZq8CsVX.odp | 0.98 MB |
MD5:
54da7412ad2fa92b54ee09fed35ded3b
SHA1: 6587a29426ce4b9d4192b54190345e94e269775a SHA256: 96cd363de4262c562d539cd4d162e895faaa1b644342005e8114be8073b49377 SSDeep: 24576:vID+7jy/0kxCchDAa/Rl+7tFoIhcR6JYd:H3b25GNJG |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\zZZC0cmO vW08IPLyF\RuF fqkFm-urxCQfPr0I.ppt.locked | 57.73 KB |
MD5:
529ec5f19be1b95098bd2f3ab79840f4
SHA1: e30c14442cf92069514e87bf5fef38fb3875879e SHA256: 1b83c736fc4e0eded5688d5cde4ab4068789efdf448e0ff5ef214c7c3b8e028c SSDeep: 1536:ws/IXeqxPXwSccjNzalOk3HGd+ZQqoh5pLfb1iRGi:LoeqxfHccjAlOkrSqoh5pDyGi |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Documents\zZZC0cmO vW08IPLyF\hTL2X-ua0.xlsx | 0.98 MB |
MD5:
d381600ebb25c4afdfe531d762760ed2
SHA1: 0e06cab370e3bfc2f599c013b932e9213fc237b4 SHA256: b8ae3c5576ef453726236328159c013a97bed28bc711e763bb11e15fe4edae21 SSDeep: 12288:czoU9W5mjs62pplU6PLWZGVIm1VRPkmjcXMUwNxy+9uIjQA2kDhbRTCm:czoUmmj2nlPqZGiGVRPkgU/+YBa9h |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\071XbJ\4kudbYFod536W.mp3.locked | 94.04 KB |
MD5:
af89b835a6f3dc1dfaf4066e13f8aebd
SHA1: 3bb2fa4d09129dfc1e327f7a40a6a2e3d6d4baeb SHA256: fdd6d69c0592c2f3760dfd750450a9d69988c3252e460a9ef33ba8019c6ba4cb SSDeep: 1536:KuV2+ADGBTmmlD8RLqP8z+fxMmHF/BmuU9VYpKQIrrUQ4BUDmyOZppz0QY:yYY2vBHF/Yuh8Lx4KDmyO5z0b |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\071XbJ\6y9cXxGS3Ie6eS9MzHg.mp3.locked | 20.96 KB |
MD5:
c6abcc756a95ac0415e48b902db1ee47
SHA1: 33dea87bc7c4bd4fcb1c1ddd9bfe5f7c82125fb2 SHA256: 43fafab460c3fc3b3372d44dd1e6baa585860fe16e2c142565ae6fe5f4599df4 SSDeep: 384:k3de7Sc5hUFVG6NfBSQWoA6zCFs352SnXbu2lFBIwsx9XFhnfjJLwZxyJ/:KthVFfjXu+35lXbuyFBIwsL7hwZxyl |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\071XbJ\Kql5D AvlhFAAIgIXG.mp3 | 0.98 MB |
MD5:
b3525df6d80f84f087f396e6402689b5
SHA1: 75c91f1942eaca398e40d3b9243a13857eff3104 SHA256: 6b6732c88b692fd6828ae35dfefe01edf6d1d5ad089169408e0b461228e25b9e SSDeep: 12288:81mYO/ZPX+Yqu4a10gW5L54Ltq2r+byX3lBGNDSgdj6WjMoC7+90RcWFZaX0Djkg:9j/p7pL82xX3lJ2ooPqT3RjQH0Xww+g |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\071XbJ\R_LtNbRdhxzRBemmy\dOTEpDsxVXbKTz9_o.mp3 | 0.98 MB |
MD5:
229847a37dbf29733ee5ce5e5b24d38b
SHA1: 2e589bb0b2cba63ea4f06022f807f438e8bebc82 SHA256: 4bc0a28b852c898f4789aedd9792958c725d79bb60be8452734e6054f511523e SSDeep: 24576:W/31zlzQZAyp4XJui8/Hbnnig7TIcGkPrpZUPJ:63pw1S7ETn5WkQJ |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\071XbJ\R_LtNbRdhxzRBemmy\dlez1\56jXG_rUP2Pu7xpB-7.wav | 0.98 MB |
MD5:
81cca95d52a796df05340cf70d13b21b
SHA1: 49b879f5924d037d675153452367f32c0c649783 SHA256: 032d0711ff98a4e9b98fc1860772e8bda627cfe60791d0c5f4220e3681565294 SSDeep: 24576:DBXsGMOTwmxoXpoAFOu0iQkP5APuYZtBCFrZqg:DhsG46OpfQA2ZW3 |
|
|
Host Behavior
File (4902)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | cmd.exe | file_attributes = FILE_FLAG_BACKUP_SEMANTICS |
|
40 | |
| Create | cmd.exe.com | file_attributes = FILE_FLAG_BACKUP_SEMANTICS |
|
40 | |
| Create | cmd.exe.exe | file_attributes = FILE_FLAG_BACKUP_SEMANTICS |
|
40 | |
| Create | cmd.exe.bat | file_attributes = FILE_FLAG_BACKUP_SEMANTICS |
|
40 | |
| Create | cmd.exe.cmd | file_attributes = FILE_FLAG_BACKUP_SEMANTICS |
|
40 | |
| Create | cmd.exe.vbs | file_attributes = FILE_FLAG_BACKUP_SEMANTICS |
|
40 | |
| Create | cmd.exe.vbe | file_attributes = FILE_FLAG_BACKUP_SEMANTICS |
|
40 | |
| Create | cmd.exe.js | file_attributes = FILE_FLAG_BACKUP_SEMANTICS |
|
40 | |
| Create | cmd.exe.jse | file_attributes = FILE_FLAG_BACKUP_SEMANTICS |
|
40 | |
| Create | cmd.exe.wsf | file_attributes = FILE_FLAG_BACKUP_SEMANTICS |
|
40 | |
| Create | cmd.exe.wsh | file_attributes = FILE_FLAG_BACKUP_SEMANTICS |
|
40 | |
| Create | cmd.exe.msc | file_attributes = FILE_FLAG_BACKUP_SEMANTICS |
|
40 | |
| Create | NUL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
7 | |
| Create | NUL | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
39 | |
| Create | NUL | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
39 | |
| Create | NUL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
7 | |
| Create | NUL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
7 | |
| Create | NUL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
6 | |
| Create | NUL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
6 | |
| Create | NUL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
6 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\windows | file_attributes = FILE_FLAG_BACKUP_SEMANTICS |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\windows | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\ | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\README.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\$Recycle.Bin | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\Fonts | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\cs-CZ | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\da-DK | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\de-DE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\el-GR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\es-ES | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\fi-FI | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\fr-FR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\hu-HU | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\it-IT | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\ja-JP | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\ko-KR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\nb-NO | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\nl-NL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\pl-PL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\pt-BR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\pt-PT | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\ru-RU | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\sv-SE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\tr-TR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\zh-CN | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\zh-HK | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Boot\zh-TW | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Config.Msi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Config.Msi\README.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\README.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\PerfLogs | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\PerfLogs\README.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\PerfLogs\Admin | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\PerfLogs\Admin\README.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\DESIGNER | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\DW | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\EQUATION | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\EQUATION\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\EURO | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Filters | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\GRPHFLT | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Help | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\MSClientDataMgr | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\MSInfo | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.WW | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PRJPROR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PROPLUSR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Project.en-us | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.en | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.es | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.fr | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proofing.en-us | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Publisher.en-us | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\VISIOR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Visio.en-us | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Word.en-us | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\PROOF | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Source Engine | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Stationery | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ARFR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENES | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENFR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FRAR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TextConv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Triedit | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VBA | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VC | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VGX | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VSTO | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Visio Shared | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Web Folders | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\da-DK | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\de-DE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\el-GR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\es-ES | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\et-EE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\he-IL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\it-IT | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\th-TH | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\SpeechEngines | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\SpeechEngines\Microsoft | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\System | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\System\MSMAPI | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\System\MSMAPI\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\System\Ole DB | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\System\Ole DB\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\System\ado | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\System\ado\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\System\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\System\msadc | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Common Files\System\msadc\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\Full | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\Memories | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\Push | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\DVD Maker\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Internet Explorer | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Internet Explorer\SIGNUP | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Internet Explorer\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\MSBuild | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Analysis Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Analysis Services\AS OLEDB | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Analysis Services\AS OLEDB\10 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Analysis Services\AS OLEDB\10\Cartridges | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Analysis Services\AS OLEDB\10\Resources | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Analysis Services\AS OLEDB\10\Resources\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\CLIPART | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\CLIPART\PUB60COR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\CLIPART\Publisher | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Document Themes 14 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Document Themes 14\Theme Effects | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Document Themes 14\Theme Fonts | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\MEDIA | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\MEDIA\CAGCAT10 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\MEDIA\OFFICE14 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\MEDIA\OFFICE14\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\Bibliography | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\DataServices | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\QuickStyles | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1033\Vsdir | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\1036 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\3082 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\ACCWIZ | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\ADDINS | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\AccessWeb | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\BORDERS | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Bibliography | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Bibliography\Sort | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Bibliography\Style | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\CONVERT | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\CONVERT\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Document Parts | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Document Parts\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Document Parts\1033\14 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\FORMS | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\FORMS\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\Certificates | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\Certificates\Verisign | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\Certificates\Verisign\Components | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\Certificates\groove.net | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\Certificates\groove.net\Components | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\Sounds | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\Sounds\People | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\Sounds\Places | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\Sounds\Things | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\ToolIcons | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\XML Files | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Groove\XML Files\Space Templates | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\InfoPathOM | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Library | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Library\Analysis | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Library\SOLVER | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\MEDIA | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\OneNote | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\OutlookAutoDiscover | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\PAGESIZE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\PROOF | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\PROOF\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\PROOF\1036 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\PROOF\3082 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\PUBBA | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\PUBWIZ | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\QUERIES | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\SAMPLES | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\STARTUP | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Visio Content | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\Visio Content\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Office14\XLSTART | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Stationery | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Stationery\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Templates | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Templates\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Templates\1033\Access | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Templates\1033\Access\DataType | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Templates\1033\Access\Part | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Templates\1033\Access\WSS | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Templates\1033\FAX | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Templates\1033\ONENOTE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Office\Templates\Presentation Designs | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft SQL Server Compact Edition | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft SQL Server Compact Edition\v3.5 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\Desktop | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Sync Framework | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Sync Framework\v1.0 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Sync Framework\v1.0\Documentation | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Sync Framework\v1.0\Documentation\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Sync Framework\v1.0\Runtime | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Sync Framework\v1.0\Runtime\x64 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Sync Framework\v1.0\Runtime\x64\resources | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Sync Framework\v1.0\Runtime\x64\resources\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Synchronization Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Synchronization Services\ADO.NET | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Microsoft Synchronization Services\ADO.NET\v1.0 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Reference Assemblies | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Reference Assemblies\Microsoft | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Reference Assemblies\Microsoft\Framework | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Uninstall Information | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Defender | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Defender\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Journal | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Journal\Templates | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Journal\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Mail | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Mail\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Media Player | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Media Player\Icons | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Media Player\Media Renderer | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Media Player\Network Sharing | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Media Player\Skins | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Media Player\Visualizations | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Media Player\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows NT | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows NT\Accessories | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows NT\Accessories\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows NT\TableTextService | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows NT\TableTextService\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Photo Viewer | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Photo Viewer\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Portable Devices | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\Shared Gadgets | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files\Windows Sidebar\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86) | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Esl | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\CAT | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\CHS | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\CHT | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\CZE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\DAN | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\DEU | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\ENU | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\ESP | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\EUQ | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\FRA | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\HRV | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\HUN | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\ITA | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\JPN | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\KOR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\NLD | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\NOR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\POL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\PTB | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\RUM | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\RUS | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\SKY | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\SLV | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\SUO | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\SVE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\TUR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\UKR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Javascripts | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\CAT | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\CHS | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\CHT | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\CZE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\DAN | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\DEU | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\ENU | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\ESP | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\EUQ | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\FRA | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\HRV | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\HUN | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\ITA | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\JPN | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\KOR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\NLD | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\NOR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\POL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\PTB | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\RUM | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\RUS | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\SKY | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\SLV | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\SUO | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\SVE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\TUR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\UKR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\ca_ES | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\ca_ES\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\cs_CZ | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\cs_CZ\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\da_DK | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\da_DK\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\de_DE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\de_DE\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\es_ES | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\es_ES\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\eu_ES | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\eu_ES\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\fi_FI | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\fi_FI\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\fr_FR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\fr_FR\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\hr_HR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\hr_HR\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\hu_HU | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\hu_HU\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\it_IT | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\it_IT\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\ja_JP | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\ja_JP\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\ko_KR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\ko_KR\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\nb_NO | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\nb_NO\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\nl_NL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\nl_NL\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\pl_PL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\pl_PL\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\pt_BR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\pt_BR\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\ro_RO | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\ro_RO\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\ru_RU | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\ru_RU\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\sk_SK | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\sk_SK\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\sl_SI | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\sl_SI\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\sv_SE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\sv_SE\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\tr_TR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\tr_TR\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\uk_UA | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\uk_UA\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\zh_CN | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\zh_CN\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\zh_TW | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Locale\zh_TW\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\SPPlugins | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Tracker | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\AcroForm | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\AcroForm\PMP | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\CAT | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\CHS | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\CHT | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\CZE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\DAN | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\DEU | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\ENU | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\ESP | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\EUQ | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\FRA | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\HRV | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\HUN | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\ITA | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\JPN | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\KOR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\NLD | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\NOR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\POL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\PTB | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\RUM | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\RUS | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\SKY | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\SLV | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\SUO | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\SVE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Multimedia\MPP_RUM | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Multimedia\MPP_RUS | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Multimedia\MPP_SKY | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Multimedia\MPP_SLV | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Multimedia\MPP_TUR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Multimedia\MPP_UKR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins3d | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins3d\prc | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Resource | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Resource\CIDFont | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Resource\CMap | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Resource\Font | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Resource\Font\PFM | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Resource\Linguistics | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Resource\Linguistics\LanguageNames2 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Resource\Linguistics\Providers | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Resource\Linguistics\Providers\Proximity | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Resource\Linguistics\Providers\Proximity\11.00 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Resource\SaslPrep | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Resource\TypeSupport | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Resource\TypeSupport\Unicode | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Resource\TypeSupport\Unicode\ICU | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Resource\TypeSupport\Unicode\Mappings | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Resource\TypeSupport\Unicode\Mappings\Adobe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Resource\TypeSupport\Unicode\Mappings\Mac | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Resource\TypeSupport\Unicode\Mappings\win | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Setup Files | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Reader 10.0\Setup Files\{AC76BA86-7AD7-FFFF-7B44-AA0000000001} | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\ARM | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\Acrobat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\ca_ES | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\cs_CZ | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\da_DK | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\de_DE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\es_ES | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\eu_ES | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\fi_FI | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\fr_FR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\hr_HR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\hu_HU | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\it_IT | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\ja_JP | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\ko_KR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\nb_NO | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\nl_NL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\pl_PL | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\pt_BR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\ro_RO | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\ru_RU | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\sk_SK | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\sl_SI | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\sv_SE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\tr_TR | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\uk_UA | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\zh_CN | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\zh_TW | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Java | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Java\Java Update | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\SpeechEngines | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\System | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\System\Ole DB | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\System\Ole DB\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\System\ado | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\System\ado\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\System\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\System\msadc | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\System\msadc\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\DAO | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\Help | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\Help\1028 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\Help\1031 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\Help\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\Help\1036 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\Help\1040 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\Help\1041 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\Help\1042 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\Help\1046 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\Help\1049 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\Help\2052 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\Help\3082 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\MSEnv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\MSInfo | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\Portal | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\Stationery | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\TextConv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\Triedit | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\VBA | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\VC | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\VC\amd64 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\VGX | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\VSTA | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\VSTO | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\ink | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Google | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Extensions | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Installer | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\Locales | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\VisualElements | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\_platform_specific | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\WidevineCdm\_platform_specific\win_x64 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\default_apps | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\SetupMetrics | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Google\CrashReports | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Internet Explorer | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Internet Explorer\SIGNUP | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Internet Explorer\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\bin | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\bin\client | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\bin\dtplugin | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\bin\plugin2 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\applet | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\cmm | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\deploy | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\deploy\jqs | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\ext | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\fonts | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\i386 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\images | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\images\cursors | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\jfr | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\management | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\security | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\zi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\zi\Africa | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\zi\America | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\zi\America\Indiana | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\zi\America\Kentucky | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\zi\America\North_Dakota | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\zi\Antarctica | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\zi\Asia | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\zi\Atlantic | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\zi\Australia | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\zi\Etc | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\zi\Europe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\zi\Indian | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\zi\Pacific | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Java\jre7\lib\zi\SystemV | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\MSBuild | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\MSBuild\Microsoft | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Analysis Services | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Office | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Office\Office14 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Office\Office14\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Visual Studio 8 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Visual Studio 8\SDK | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft.NET | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Microsoft.NET\RedistList | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\browser | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\browser\components | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\browser\extensions | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\defaults | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\defaults\pref | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\dictionaries | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\uninstall | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\webapprt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Maintenance Service | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Reference Assemblies | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Reference Assemblies\Microsoft | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Uninstall Information | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Windows Defender | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Windows Defender\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Windows Mail | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Windows Mail\en-US | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Windows Media Player | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Windows Media Player\Icons | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Program Files (x86)\Windows Media Player\Media Renderer | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\System Volume Information | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\README.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\README.html | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Acrobat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Acrobat\10.0 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Acrobat\10.0\Cache | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Color | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Color\Profiles | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\DQQ19BCJ.JAX | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\DQQ19BCJ.JAX\YVORLGOR.PNT | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\DQQ19BCJ.JAX\YVORLGOR.PNT\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\DQQ19BCJ.JAX\YVORLGOR.PNT\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\DQQ19BCJ.JAX\YVORLGOR.PNT\manifests | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\Data | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\Data\CJW3O3KP.BX7 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\Data\CJW3O3KP.BX7\6NG60CXZ.9GJ | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\Data\CJW3O3KP.BX7\6NG60CXZ.9GJ\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\Data\CJW3O3KP.BX7\6NG60CXZ.9GJ\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\Data | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Deployment | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\CertificateTransparency | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Crashpad | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Crashpad\reports | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Cache | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Extension Rules | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Extension State | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Extensions | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Delete | C:\Users\5p5NrGJn0jS HALPmcxz\Music\u917nQmxGlYQ.wav | - |
|
2 | |
| Delete | C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\IdM m5ZZBkUoa\Jvd5uXr7194-2VV\JMnIuomaZSTsbg88vc.jpg | - |
|
2 | |
|
For performance reasons, the remaining 2339 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Process (40)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xb04, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xb54, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xb78, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xb9c, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xbc0, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xbe4, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x2b0, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x998, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x9bc, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x840, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xa00, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x344, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x58c, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x7fc, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x9b4, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x99c, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xa44, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xa70, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xa2c, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x930, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x90c, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x8e4, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x8c0, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x89c, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xb20, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xb70, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xb94, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xbb0, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xbdc, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xbf4, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x640, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x848, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x844, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x988, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x82c, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x9d0, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xbec, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x7e4, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x5a4, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x8c4, creation_flags = CREATE_UNICODE_ENVIRONMENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 |
Module (52)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Load | advapi32.dll | base_address = 0x74d40000 |
|
2 | |
| Load | ntdll.dll | base_address = 0x77130000 |
|
1 | |
| Load | ws2_32.dll | base_address = 0x75bc0000 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = AddDllDirectory, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = AddVectoredContinueHandler, address_out = 0x771937e1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetQueuedCompletionStatusEx, address_out = 0x76cb43af |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x76c3495d |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SystemFunction036, address_out = 0x74d41919 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtWaitForSingleObject, address_out = 0x7714f8ac |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = wine_get_version, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x76c351b3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetHandleInformation, address_out = 0x76c4195c |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAStartup, address_out = 0x75bc3ab2 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CancelIoEx, address_out = 0x76c4efbc |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileCompletionNotificationModes, address_out = 0x76caaeee |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAEnumProtocolsW, address_out = 0x75bcc8e1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x76c31328 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x76c35223 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x76c34467 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentVariableW, address_out = 0x76c31b48 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileAttributesExW, address_out = 0x76c34574 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x76c33f5c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x76c351e3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x76c351cb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76c31809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x76c31886 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x76c3103d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x76c31410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x76c31136 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetExitCodeProcess, address_out = 0x76c4174d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessTimes, address_out = 0x76c4d60f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x76c57aca |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptAcquireContextW, address_out = 0x74d4df14 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptGenRandom, address_out = 0x74d4dfc8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x76c31282 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileW, address_out = 0x76c34435 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileW, address_out = 0x76c354ee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x76c34442 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x76c33ed3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x76c389b3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RemoveDirectoryW, address_out = 0x76cb44cf |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSASocketW, address_out = 0x75bc3cd3 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = setsockopt, address_out = 0x75bc41b6 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = bind, address_out = 0x75bc4582 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = socket, address_out = 0x75bc3eb8 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAIoctl, address_out = 0x75bc2fe7 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = closesocket, address_out = 0x75bc3918 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x76c34620 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Hardware Information |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Environment (163)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
41 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
80 | |
| Get Environment String | name = path, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
40 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\5p5NrGJn0jS HALPmcxz |
|
1 |
Network Behavior
TCP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 0 bytes |
| Total Data Received | 0 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | 193.56.28.231 |
TCP Session #1
| Information | Value |
|---|---|
| Remote Address | 193.56.28.231 |
| Remote Port | 80 |
| Local Address | 192.168.0.119 |
| Local Port | 49159 |
| Data Sent | 0 bytes |
| Data Received | 0 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Bind | local_address = 0.0.0.0, local_port = 49159, hint = OS assigned a local port from the dynamic client port range |
|
1 | |
| Connect | remote_address = 193.56.28.231, remote_port = 80 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
Process #2: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im msftesql.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:28, Reason: Child Process |
| Unmonitor | End Time: 00:00:34, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb04 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B08
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xb0c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x49e10000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:09 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 99840 |
|
1 | |
| Get Time | type = Performance Ctr, time = 14913902070 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #3: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im msftesql.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:28, Reason: Child Process |
| Unmonitor | End Time: 00:00:34, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb0c |
| Parent PID | 0xb04 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B10
0x
B14
0x
B18
0x
B1C
0x
B20
|
Process #6: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im sqlagent.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:33, Reason: Child Process |
| Unmonitor | End Time: 00:00:33, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb54 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B58
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xb5c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a990000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:10 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 100995 |
|
1 | |
| Get Time | type = Performance Ctr, time = 15380334515 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #7: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im sqlagent.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:33, Reason: Child Process |
| Unmonitor | End Time: 00:00:34, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb5c |
| Parent PID | 0xb54 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B60
0x
B64
0x
B68
0x
B6C
0x
B70
|
Process #8: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im sqlbrowser.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:33, Reason: Child Process |
| Unmonitor | End Time: 00:00:34, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb78 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B7C
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xb80, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4aca0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:10 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 101463 |
|
1 | |
| Get Time | type = Performance Ctr, time = 15428026436 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #9: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im sqlbrowser.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:00:34, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb80 |
| Parent PID | 0xb78 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B84
0x
B88
0x
B8C
0x
B90
0x
B94
|
Process #10: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im sqlservr.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:00:35, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb9c |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BA0
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xba4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a770000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:11 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 101899 |
|
1 | |
| Get Time | type = Performance Ctr, time = 15471388277 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #11: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im sqlservr.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:00:35, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xba4 |
| Parent PID | 0xb9c (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BA8
0x
BAC
0x
BB0
0x
BB4
0x
BB8
|
Process #12: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im sqlwriter.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:00:36, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbc0 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BC4
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xbc8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a470000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:11 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 102305 |
|
1 | |
| Get Time | type = Performance Ctr, time = 15512170625 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #13: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im sqlwriter.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:00:36, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbc8 |
| Parent PID | 0xbc0 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BCC
0x
BD0
0x
BD4
0x
BD8
0x
BDC
|
Process #14: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im oracle.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:00:36, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbe4 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BE8
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xbec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:12 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 102757 |
|
1 | |
| Get Time | type = Performance Ctr, time = 15558258902 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #15: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im oracle.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:00:36, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbec |
| Parent PID | 0xbe4 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BF0
0x
BF4
0x
BF8
0x
BFC
0x
288
|
Process #16: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im ocssd.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:00:37, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2b0 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
73C
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x6ec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a4d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:12 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 103225 |
|
1 | |
| Get Time | type = Performance Ctr, time = 15604520984 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #17: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im ocssd.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:00:37, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6ec |
| Parent PID | 0x2b0 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
664
0x
640
0x
488
0x
694
0x
6B4
0x
5F4
|
Process #18: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im dbsnmp.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:00:37, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x998 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
990
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x984, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a5c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:13 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 104005 |
|
1 | |
| Get Time | type = Performance Ctr, time = 15683216508 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #19: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im dbsnmp.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:00:37, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x984 |
| Parent PID | 0x998 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
980
0x
988
0x
97C
0x
978
0x
974
|
Process #20: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #20 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im synctime.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:00:37, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9bc |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9C0
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x838, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a7e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:13 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 104427 |
|
1 | |
| Get Time | type = Performance Ctr, time = 15725420657 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #21: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im synctime.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:00:37, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x838 |
| Parent PID | 0x9bc (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
828
0x
82C
0x
830
0x
834
0x
83C
|
Process #22: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im mydesktopqos.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:37, Reason: Child Process |
| Unmonitor | End Time: 00:00:37, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x840 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
824
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x814, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a940000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:14 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 104817 |
|
1 | |
| Get Time | type = Performance Ctr, time = 15765003511 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #23: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im mydesktopqos.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:37, Reason: Child Process |
| Unmonitor | End Time: 00:00:38, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x814 |
| Parent PID | 0x840 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
818
0x
9D0
0x
9DC
0x
9E0
0x
9E4
|
Process #24: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #24 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im agntsvc.exeisqlplussvc.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:37, Reason: Child Process |
| Unmonitor | End Time: 00:00:39, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa00 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
808
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x798, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a020000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:14 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 105331 |
|
1 | |
| Get Time | type = Performance Ctr, time = 15817322758 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #25: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #25 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im agntsvc.exeisqlplussvc.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:37, Reason: Child Process |
| Unmonitor | End Time: 00:00:39, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x798 |
| Parent PID | 0xa00 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7D0
0x
78C
0x
C0
0x
7D8
0x
184
|
Process #26: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #26 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im xfssvccon.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:38, Reason: Child Process |
| Unmonitor | End Time: 00:00:39, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x344 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
244
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x210, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a930000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:15 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 105784 |
|
1 | |
| Get Time | type = Performance Ctr, time = 15861906822 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #27: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #27 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im xfssvccon.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:38, Reason: Child Process |
| Unmonitor | End Time: 00:00:39, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x210 |
| Parent PID | 0x344 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
314
0x
1E8
0x
178
0x
7E4
0x
7A4
|
Process #28: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #28 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im mydesktopservice.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:38, Reason: Child Process |
| Unmonitor | End Time: 00:00:39, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x58c |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7E8
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x39c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a050000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:15 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 106174 |
|
1 | |
| Get Time | type = Performance Ctr, time = 15902394715 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #29: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #29 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im mydesktopservice.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:38, Reason: Child Process |
| Unmonitor | End Time: 00:00:39, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x39c |
| Parent PID | 0x58c (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
53C
0x
5A4
0x
248
0x
688
0x
7C0
|
Process #30: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #30 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im ocautoupds.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:39, Reason: Child Process |
| Unmonitor | End Time: 00:00:39, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7fc |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6AC
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x804, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a410000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:15 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 106642 |
|
1 | |
| Get Time | type = Performance Ctr, time = 15948608174 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #31: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #31 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im ocautoupds.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:39, Reason: Child Process |
| Unmonitor | End Time: 00:00:40, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x804 |
| Parent PID | 0x7fc (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
958
0x
7D4
0x
9FC
0x
7AC
0x
5B8
|
Process #32: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #32 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im agntsvc.exeagntsvc.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:39, Reason: Child Process |
| Unmonitor | End Time: 00:00:40, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9b4 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A14
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x9b0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x49f10000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:16 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 107110 |
|
1 | |
| Get Time | type = Performance Ctr, time = 15996788837 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #33: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #33 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im agntsvc.exeagntsvc.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:39, Reason: Child Process |
| Unmonitor | End Time: 00:00:40, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9b0 |
| Parent PID | 0x9b4 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9A4
0x
9A8
0x
9AC
0x
9C8
0x
9A0
|
Process #34: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #34 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im agntsvc.exeencsvc.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:40, Reason: Child Process |
| Unmonitor | End Time: 00:00:40, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x99c |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A28
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xa34, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a310000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:16 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 107562 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16041326102 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #35: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #35 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im agntsvc.exeencsvc.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:40, Reason: Child Process |
| Unmonitor | End Time: 00:00:40, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa34 |
| Parent PID | 0x99c (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A74
0x
A78
0x
A64
0x
AB0
0x
AB4
|
Process #36: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #36 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im firefoxconfig.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:40, Reason: Child Process |
| Unmonitor | End Time: 00:00:42, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa44 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A60
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xa4c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a7c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:17 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 108015 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16087791351 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #37: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #37 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im firefoxconfig.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:40, Reason: Child Process |
| Unmonitor | End Time: 00:00:42, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa4c |
| Parent PID | 0xa44 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A48
0x
A40
0x
A50
0x
A5C
0x
A90
|
Process #38: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #38 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im tbirdconfig.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:40, Reason: Child Process |
| Unmonitor | End Time: 00:00:42, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa70 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A3C
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xa38, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x49e30000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:17 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 108420 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16127745154 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #39: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #39 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im tbirdconfig.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:41, Reason: Child Process |
| Unmonitor | End Time: 00:00:42, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa38 |
| Parent PID | 0xa70 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A8C
0x
A88
0x
A84
0x
A7C
0x
AD4
|
Process #40: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #40 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im ocomm.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:41, Reason: Child Process |
| Unmonitor | End Time: 00:00:42, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa2c |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AE4
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xaf4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a300000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:18 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 108826 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16168950619 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #41: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #41 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im ocomm.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:41, Reason: Child Process |
| Unmonitor | End Time: 00:00:42, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaf4 |
| Parent PID | 0xa2c (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3D0
0x
944
0x
940
0x
93C
0x
938
|
Process #42: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #42 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im mysqld.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:41, Reason: Child Process |
| Unmonitor | End Time: 00:00:43, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x930 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
92C
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x928, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a260000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:18 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 109231 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16210765839 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #43: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #43 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im mysqld.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:41, Reason: Child Process |
| Unmonitor | End Time: 00:00:43, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x928 |
| Parent PID | 0x930 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
924
0x
920
0x
91C
0x
918
0x
914
|
Process #44: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #44 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im mysqld-nt.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:42, Reason: Child Process |
| Unmonitor | End Time: 00:00:42, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x90c |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
908
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x904, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a890000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:18 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 109637 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16251273051 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #45: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #45 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im mysqld-nt.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:42, Reason: Child Process |
| Unmonitor | End Time: 00:00:42, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x904 |
| Parent PID | 0x90c (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
900
0x
8FC
0x
8F8
0x
8F4
0x
8F0
|
Process #46: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #46 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im mysqld-opt.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:42, Reason: Child Process |
| Unmonitor | End Time: 00:00:42, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8e4 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8E0
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x8dc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4acb0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:19 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 110074 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16294889581 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #47: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #47 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im mysqld-opt.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:42, Reason: Child Process |
| Unmonitor | End Time: 00:00:43, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8dc |
| Parent PID | 0x8e4 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8D8
0x
8D4
0x
8D0
0x
8CC
0x
8C8
|
Process #48: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #48 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im dbeng50.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:42, Reason: Child Process |
| Unmonitor | End Time: 00:00:43, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8c0 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8BC
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x8b8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x49fc0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:19 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 110479 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16335937641 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #49: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #49 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im dbeng50.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:43, Reason: Child Process |
| Unmonitor | End Time: 00:00:44, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8b8 |
| Parent PID | 0x8c0 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8B4
0x
8B0
0x
8AC
0x
8A8
0x
8A4
|
Process #50: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #50 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im sqbcoreservice.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:43, Reason: Child Process |
| Unmonitor | End Time: 00:00:44, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x89c |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
898
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x894, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a160000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:20 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 110963 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16384152167 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #51: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #51 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im sqbcoreservice.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:43, Reason: Child Process |
| Unmonitor | End Time: 00:00:44, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x894 |
| Parent PID | 0x89c (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
890
0x
88C
0x
B24
0x
B28
0x
B50
|
Process #52: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #52 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im excel.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:43, Reason: Child Process |
| Unmonitor | End Time: 00:00:45, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb20 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B14
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xb18, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4ab00000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:20:20 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 111384 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16427034036 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #53: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #53 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im excel.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:43, Reason: Child Process |
| Unmonitor | End Time: 00:00:45, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb18 |
| Parent PID | 0xb20 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B10
0x
B0C
0x
B08
0x
B04
0x
B74
|
Process #54: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #54 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im infopath.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:44, Reason: Child Process |
| Unmonitor | End Time: 00:00:44, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb70 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B64
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xb68, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4aa70000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1602-08-21 01:39:13 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 111774 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16466621280 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #55: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #55 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im infopath.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:44, Reason: Child Process |
| Unmonitor | End Time: 00:00:44, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb68 |
| Parent PID | 0xb70 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B60
0x
B5C
0x
B58
0x
B54
0x
B98
|
Process #56: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #56 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im msaccess.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:44, Reason: Child Process |
| Unmonitor | End Time: 00:00:45, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb94 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B88
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xb8c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x49ed0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1602-08-21 01:39:13 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 112180 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16506288892 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #57: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #57 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im msaccess.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:44, Reason: Child Process |
| Unmonitor | End Time: 00:00:45, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb8c |
| Parent PID | 0xb94 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B84
0x
B7C
0x
BBC
0x
BB4
0x
BB8
|
Process #58: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #58 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im mspub.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:45, Reason: Child Process |
| Unmonitor | End Time: 00:00:45, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbb0 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BA8
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xba0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a100000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1602-08-21 01:39:14 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 112570 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16545548087 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #59: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #59 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im mspub.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:45, Reason: Child Process |
| Unmonitor | End Time: 00:00:45, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xba0 |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B80
0x
B78
0x
B9C
0x
BA4
0x
BE0
|
Process #60: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #60 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im onenote.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:45, Reason: Child Process |
| Unmonitor | End Time: 00:00:45, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbdc |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BD0
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xbd4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a840000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1602-08-21 01:39:14 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 112991 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16588604951 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #61: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #61 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im onenote.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:45, Reason: Child Process |
| Unmonitor | End Time: 00:00:46, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbd4 |
| Parent PID | 0xbdc (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BCC
0x
BC4
0x
878
0x
2A8
0x
BFC
|
Process #62: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #62 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im outlook.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:45, Reason: Child Process |
| Unmonitor | End Time: 00:00:46, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbf4 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BF8
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xbf0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a040000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-27 02:27:33 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 113381 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16628330882 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #63: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #63 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im outlook.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:46, Reason: Child Process |
| Unmonitor | End Time: 00:00:46, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbf0 |
| Parent PID | 0xbf4 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BE8
0x
B0
0x
98C
0x
694
0x
6B4
|
Process #64: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #64 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im powerpnt.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:46, Reason: Child Process |
| Unmonitor | End Time: 00:00:47, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x640 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
488
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x664, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a110000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-27 02:27:33 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 113787 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16668035788 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #65: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #65 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im powerpnt.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:46, Reason: Child Process |
| Unmonitor | End Time: 00:00:47, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x664 |
| Parent PID | 0x640 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6EC
0x
73C
0x
AAC
0x
2B0
0x
994
|
Process #66: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #66 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im steam.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:46, Reason: Child Process |
| Unmonitor | End Time: 00:00:48, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x848 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A9C
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xaa0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a5d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-27 02:27:33 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 114161 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16706334353 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #67: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #67 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im steam.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:46, Reason: Child Process |
| Unmonitor | End Time: 00:00:48, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaa0 |
| Parent PID | 0x848 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AA4
0x
A98
0x
A94
0x
AD0
0x
9B8
|
Process #68: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #68 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im sqlservr.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:47, Reason: Child Process |
| Unmonitor | End Time: 00:00:47, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x844 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AC0
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xac4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a4a0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-27 02:27:34 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 114582 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16747316345 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #69: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #69 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im sqlservr.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:47, Reason: Child Process |
| Unmonitor | End Time: 00:00:47, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xac4 |
| Parent PID | 0x844 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AC8
0x
ABC
0x
AB8
0x
970
0x
978
|
Process #70: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #70 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im thebat.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:47, Reason: Child Process |
| Unmonitor | End Time: 00:00:47, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x988 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
97C
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x980, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a8a0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-27 02:27:34 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 114972 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16785685483 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #71: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #71 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im thebat.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:47, Reason: Child Process |
| Unmonitor | End Time: 00:00:48, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x980 |
| Parent PID | 0x988 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
984
0x
990
0x
998
0x
84C
0x
834
|
Process #72: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #72 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im thebat64.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:47, Reason: Child Process |
| Unmonitor | End Time: 00:00:49, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x82c |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
830
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x828, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a160000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-27 02:27:35 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 115362 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16825898620 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #73: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #73 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im thebat64.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:47, Reason: Child Process |
| Unmonitor | End Time: 00:00:49, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x828 |
| Parent PID | 0x82c (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
838
0x
9C0
0x
9BC
0x
9CC
0x
9E0
|
Process #74: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #74 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im thunderbird.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:48, Reason: Child Process |
| Unmonitor | End Time: 00:00:49, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9d0 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9DC
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x818, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a720000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-27 02:27:35 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 115815 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16871704173 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #75: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #75 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im thunderbird.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:48, Reason: Child Process |
| Unmonitor | End Time: 00:00:49, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x818 |
| Parent PID | 0x9d0 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
814
0x
824
0x
840
0x
BC8
0x
BC0
|
Process #76: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #76 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im visio.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:48, Reason: Child Process |
| Unmonitor | End Time: 00:00:49, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbec |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
618
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x7d8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4ab60000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-27 02:27:35 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 116220 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16911528175 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #77: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #77 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im visio.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:48, Reason: Child Process |
| Unmonitor | End Time: 00:00:49, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7d8 |
| Parent PID | 0xbec (c:\windows\syswow64\taskkill.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
184
0x
78C
0x
C0
0x
7D0
0x
808
|
Process #78: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #78 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im winword.exe " |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:49, Reason: Child Process |
| Unmonitor | End Time: 00:00:49, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7e4 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7A4
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x1e8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x49db0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-27 02:27:36 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 116626 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16953411161 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #79: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #79 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im winword.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:49, Reason: Child Process |
| Unmonitor | End Time: 00:00:50, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1e8 |
| Parent PID | 0x7e4 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
178
0x
314
0x
244
0x
648
0x
688
|
Process #80: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #80 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "taskkill /f /im wordpad.exe" |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:49, Reason: Child Process |
| Unmonitor | End Time: 00:00:50, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5a4 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
248
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x53c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a020000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-27 02:27:36 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 117031 |
|
1 | |
| Get Time | type = Performance Ctr, time = 16994584574 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #81: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #81 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill /f /im wordpad.exe |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:00:49, Reason: Child Process |
| Unmonitor | End Time: 00:00:50, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x53c |
| Parent PID | 0x5a4 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
39C
0x
7E8
0x
58C
0x
7C4
0x
7AC
|
Process #82: cmd.exe
57
0
| Information | Value |
|---|---|
| ID | #82 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c "shutdown /r /f /t 1" |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:02:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:01, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8c4 |
| Parent PID | 0xad8 (c:\users\5p5nrgjn0js halpmcxz\desktop\w.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8CC
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a1d0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76c20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76c4a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76c53b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76c34a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76c4a79d |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-06-28 15:21:35 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 185843 |
|
1 | |
| Get Time | type = Performance Ctr, time = 24083592813 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #83: shutdown.exe
0
0
| Information | Value |
|---|---|
| ID | #83 |
| File Name | c:\windows\syswow64\shutdown.exe |
| Command Line | shutdown /r /f /t 1 |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:02:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:02, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8c8 |
| Parent PID | 0x8c4 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8D4
0x
8A8
|
