ae7d5973d7daaa7dec7f06af80b97b5927b44521ed4aa3fe2b75d98ecd9a9a80 (SHA256)
zOTcI.exe
Windows Exe (x86-64)
Created at 2019-02-09 09:06:00
Notifications (2/4)
Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.
The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.
The overall sleep time of all monitored processes was truncated from "40 minutes, 50 seconds" to "10 minutes" to reveal dormant functionality.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: zotci.exe
65271
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\ciihmnxmn6ps\desktop\zotci.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\zOTcI.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:53, Reason: Analysis Target |
| Unmonitor | End Time: 00:04:44, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:51 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf08 |
| Parent PID | 0x57c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F0C
0x
F10
0x
F24
0x
F28
0x
F34
0x
F3C
0x
F40
0x
F58
0x
F5C
0x
F84
0x
FC4
0x
E1C
0x
820
0x
EF0
0x
EF4
0x
F04
0x
EEC
0x
ED0
0x
EC0
0x
924
0x
4F0
0x
148
0x
870
0x
61C
0x
2E4
0x
CE0
0x
CE4
0x
85C
0x
88C
0x
798
0x
81C
0x
550
0x
554
0x
790
0x
E64
0x
E74
0x
E6C
0x
E68
0x
3C0
0x
F20
0x
F60
0x
F28
0x
764
0x
628
0x
F64
0x
F54
0x
F48
0x
F70
0x
F84
0x
F80
0x
FC8
0x
FBC
0x
F50
0x
FDC
0x
FE0
0x
FE4
0x
FC4
0x
FFC
0x
FD4
0x
F98
0x
114
0x
C6C
0x
C08
0x
C24
0x
200
0x
F44
0x
718
0x
AE4
0x
230
0x
CEC
0x
C7C
0x
FF0
0x
D18
0x
F38
0x
C2C
0x
4F8
0x
E9C
0x
E94
0x
E60
0x
E8C
0x
E90
0x
E98
0x
EA8
0x
EAC
0x
EB0
0x
E70
0x
C64
0x
434
0x
D10
0x
F14
0x
530
0x
470
0x
CB8
0x
620
0x
A44
0x
D14
0x
224
0x
320
0x
BF8
0x
C5C
0x
CC8
0x
FEC
0x
E5C
0x
538
0x
B18
0x
518
0x
F94
0x
274
0x
DCC
0x
DD0
0x
304
0x
7C0
0x
788
0x
63C
0x
728
0x
128
0x
5B8
0x
248
0x
CF8
0x
7FC
0x
C38
0x
774
0x
D38
0x
F90
0x
7AC
0x
7B0
0x
7C8
0x
490
0x
770
0x
76C
0x
7CC
0x
968
0x
7BC
0x
46C
0x
C34
0x
950
0x
1A4
0x
D40
0x
C44
0x
CC4
0x
FB4
0x
C58
0x
FCC
0x
C54
0x
FB0
0x
FF4
0x
FC0
0x
FB8
0x
5E4
0x
580
0x
578
0x
5CC
0x
5D8
0x
334
0x
B74
0x
DBC
0x
E1C
0x
EB8
0x
AEC
0x
510
0x
E20
0x
DDC
0x
90C
0x
A10
0x
DE0
0x
E28
0x
F00
0x
9B8
0x
B90
0x
BA4
0x
9B4
0x
8E0
0x
B60
0x
92C
0x
84C
0x
8D4
0x
958
0x
BA8
0x
B70
0x
BAC
0x
EB4
0x
C40
0x
C4C
0x
C04
0x
C30
0x
C50
0x
C84
0x
A70
0x
C10
0x
F9C
0x
754
0x
C70
0x
8BC
0x
3DC
0x
A8C
0x
A50
0x
ACC
0x
54C
0x
B3C
0x
418
0x
910
0x
C1C
0x
C18
0x
820
0x
ED4
0x
E0C
0x
DE4
0x
EE8
0x
DE8
0x
EF8
0x
E08
0x
DF4
0x
784
0x
D34
0x
DEC
0x
EFC
0x
DF0
0x
E14
0x
E10
0x
E34
0x
900
0x
E54
0x
ED8
0x
E24
0x
E40
0x
E48
0x
E38
0x
EF4
0x
EE4
0x
E80
0x
E84
0x
ECC
0x
EBC
0x
E78
0x
5BC
0x
EC4
0x
E7C
0x
EC8
0x
C60
0x
C48
0x
C68
0x
CB4
0x
CB0
0x
C80
0x
CC0
0x
C3C
0x
D10
0x
FA8
0x
318
0x
F2C
0x
34C
0x
320
0x
F78
0x
CD4
0x
AE8
0x
F8C
0x
D58
0x
C28
0x
CBC
0x
338
0x
F4C
0x
AD8
0x
A58
0x
404
0x
DB4
0x
F7C
0x
7C4
0x
36C
0x
56C
0x
FF8
0x
B84
0x
DC4
0x
648
0x
E30
0x
E44
0x
C78
0x
AC4
0x
5C0
0x
FAC
0x
EDC
0x
9F4
0x
9F8
0x
A00
0x
A24
0x
A14
0x
A40
0x
CD8
0x
B08
0x
8C0
0x
A0C
0x
1004
0x
1008
0x
100C
0x
1010
0x
1014
0x
1018
0x
101C
0x
1020
0x
1024
0x
1028
0x
102C
0x
1030
0x
1034
0x
1038
0x
103C
0x
1040
0x
1044
0x
1048
0x
104C
0x
1050
0x
1054
0x
1058
0x
105C
0x
1060
0x
1064
0x
1068
0x
106C
0x
1070
0x
1074
0x
1078
0x
107C
0x
1080
0x
1084
0x
1088
0x
108C
0x
1090
0x
1094
0x
1098
0x
109C
0x
10A0
0x
10D0
0x
10D4
0x
10F8
0x
10FC
0x
1100
0x
1104
0x
1108
0x
110C
0x
1110
0x
1114
0x
1118
0x
111C
0x
1120
0x
1124
0x
1128
0x
112C
0x
1130
0x
1134
0x
1138
0x
113C
0x
1140
0x
1144
0x
1148
0x
114C
0x
1150
0x
1154
0x
1158
0x
115C
0x
1160
0x
11A4
0x
11A8
0x
11AC
0x
11B0
0x
11B4
0x
11BC
0x
11C0
0x
11C4
0x
11C8
0x
11CC
0x
11D0
0x
11D4
0x
11D8
0x
11DC
0x
11E0
0x
11E4
0x
11E8
0x
11EC
0x
11F0
0x
11F4
0x
11F8
0x
11FC
0x
1200
0x
1204
0x
1208
0x
120C
0x
1210
0x
1214
0x
1218
0x
1220
0x
1224
0x
1228
0x
122C
0x
1254
0x
1258
0x
125C
0x
1260
0x
1264
0x
1268
0x
126C
0x
1270
0x
1274
0x
12A0
0x
12A4
0x
12A8
0x
12AC
0x
12B0
0x
12B4
0x
12B8
0x
12BC
0x
12C0
0x
12C4
0x
12C8
0x
12CC
0x
12D0
0x
12D4
0x
12D8
0x
12DC
0x
12E0
0x
12E4
0x
12E8
0x
12EC
0x
12F0
0x
12F4
0x
12F8
0x
12FC
0x
1300
0x
1304
0x
1308
0x
130C
0x
1310
0x
1314
0x
1318
0x
131C
0x
1320
0x
1324
0x
1328
0x
132C
0x
1330
0x
1334
0x
1338
0x
133C
0x
1340
0x
1344
0x
1348
0x
134C
0x
1350
0x
1354
0x
1358
0x
135C
0x
1360
0x
1364
0x
1368
0x
136C
0x
1370
0x
1374
0x
1378
0x
137C
0x
1380
0x
1384
0x
1388
0x
13B8
0x
13BC
0x
13C0
0x
13C4
0x
13C8
0x
13CC
0x
13D0
0x
13D4
0x
13D8
0x
13DC
0x
13E4
0x
13E8
0x
13EC
0x
13F0
0x
13F4
0x
13F8
0x
13FC
0x
10A0
0x
10B0
0x
75C
0x
D30
0x
D24
0x
10F0
0x
10E8
0x
10C8
0x
10CC
0x
10C4
0x
10D8
0x
10A8
0x
E04
0x
10B8
0x
10C0
0x
10A4
0x
10BC
0x
10B4
0x
1178
0x
10E0
0x
1170
0x
116C
0x
10DC
0x
1168
0x
10F4
0x
10E4
0x
1180
0x
117C
0x
1240
0x
1230
0x
121C
0x
1250
0x
D00
0x
EA0
0x
FE8
0x
A90
0x
127C
0x
1278
0x
1284
0x
1280
0x
128C
0x
1288
0x
1388
0x
1398
0x
13B0
0x
1404
0x
1408
0x
140C
0x
1410
0x
1414
0x
1418
0x
141C
0x
1420
0x
1424
0x
1428
0x
142C
0x
1430
0x
1434
0x
1438
0x
143C
0x
1440
0x
1444
0x
144C
0x
147C
0x
1480
0x
1484
0x
1488
0x
148C
0x
1490
0x
1494
0x
149C
0x
14A0
0x
14A4
0x
14A8
0x
14AC
0x
14B0
0x
14B4
0x
14B8
0x
14BC
0x
14C0
0x
14C4
0x
14C8
0x
14CC
0x
14D0
0x
14D4
0x
14D8
0x
14DC
0x
14E0
0x
14E4
0x
14E8
0x
14EC
0x
14F0
0x
14F4
0x
14F8
0x
14FC
0x
1500
0x
1504
0x
1508
0x
150C
0x
1510
0x
1514
0x
1518
0x
151C
0x
1520
0x
1524
0x
1528
0x
152C
0x
1530
0x
1534
0x
1538
0x
153C
0x
1540
0x
1544
0x
1548
0x
154C
0x
1550
0x
1554
0x
1558
0x
155C
0x
1560
0x
1564
0x
1568
0x
156C
0x
1570
0x
1574
0x
1578
0x
157C
0x
1580
0x
1584
0x
1588
0x
158C
0x
1590
0x
1594
0x
1598
0x
159C
0x
15A0
0x
15A4
0x
15A8
0x
15AC
0x
15B0
0x
15B4
0x
15B8
0x
15BC
0x
15C0
0x
15C4
0x
15C8
0x
15CC
0x
15D0
0x
15D4
0x
15D8
0x
15DC
0x
15E0
0x
15E4
0x
15E8
0x
15EC
0x
15F0
0x
15F4
0x
15F8
0x
15FC
0x
1600
0x
1604
0x
1608
0x
160C
0x
1610
0x
1614
0x
1618
0x
161C
0x
1620
0x
1624
0x
1628
0x
162C
0x
1630
0x
1634
0x
1638
0x
163C
0x
1640
0x
1644
0x
1648
0x
164C
0x
1650
0x
1654
0x
1658
0x
165C
0x
1660
0x
1664
0x
1668
0x
166C
0x
1670
0x
1674
0x
1678
0x
167C
0x
1680
0x
1684
0x
1688
0x
168C
0x
1690
0x
1694
0x
1698
0x
169C
0x
16A0
0x
16A4
0x
16A8
0x
16AC
0x
16B0
0x
16B4
0x
16B8
0x
16BC
0x
16C0
0x
16C4
0x
16C8
0x
16CC
0x
16D0
0x
16D4
0x
16D8
0x
16DC
0x
16E0
0x
16E4
0x
16E8
0x
16EC
0x
16F0
0x
16F4
0x
16F8
0x
16FC
0x
1700
0x
1704
0x
1708
0x
170C
0x
1710
0x
1714
0x
1718
0x
171C
0x
1720
0x
1724
0x
1730
0x
1734
0x
1738
0x
173C
0x
1740
0x
1744
0x
1748
0x
174C
0x
1750
0x
1754
0x
1758
0x
175C
0x
1760
0x
1764
0x
1768
0x
176C
0x
1770
0x
1774
0x
1778
0x
177C
0x
1780
0x
1784
0x
1788
0x
1790
0x
1794
0x
1798
0x
179C
0x
17A0
0x
17A4
0x
17A8
0x
17AC
0x
17B0
0x
17B4
0x
17E4
0x
17E8
0x
17EC
0x
17F0
0x
17F4
0x
17F8
0x
1164
0x
1390
0x
13AC
0x
10D0
0x
138C
0x
13B4
0x
13A0
0x
CE8
0x
2F4
0x
144C
0x
145C
0x
548
0x
F88
0x
68C
0x
1474
0x
1478
0x
1454
0x
1464
0x
146C
0x
1450
0x
1468
0x
1460
0x
1458
0x
1394
0x
10AC
0x
D4C
0x
D3C
0x
F18
0x
234
0x
D0
0x
C88
0x
F1C
0x
FA4
0x
528
0x
610
0x
C74
0x
17B4
0x
17D0
0x
17D8
0x
1804
0x
1808
0x
180C
0x
1810
0x
1814
0x
1818
0x
181C
0x
1820
0x
1824
0x
1828
0x
182C
0x
1830
0x
1834
0x
1838
0x
183C
0x
1840
0x
1844
0x
1848
0x
184C
0x
1850
0x
1854
0x
1858
0x
185C
0x
1860
0x
1864
0x
1868
0x
1870
0x
1874
0x
1878
0x
187C
0x
1880
0x
1884
0x
1888
0x
188C
0x
1898
0x
189C
0x
18A0
0x
18A4
0x
18A8
0x
18AC
0x
18B0
0x
18B4
0x
18B8
0x
18BC
0x
18C0
0x
18C4
0x
18CC
0x
18D0
0x
18D4
0x
18D8
0x
18DC
0x
18E0
0x
18E4
0x
18E8
0x
18EC
0x
18F0
0x
18F4
0x
18F8
0x
18FC
0x
1900
0x
1904
0x
1910
0x
1914
0x
1918
0x
191C
0x
1920
0x
1924
0x
1928
0x
192C
0x
1930
0x
1934
0x
1938
0x
193C
0x
1940
0x
1954
0x
1958
0x
195C
0x
1960
0x
1964
0x
1970
0x
1974
0x
1978
0x
1980
0x
1984
0x
198C
0x
1990
0x
1994
0x
19A0
0x
19A4
0x
19AC
0x
19B0
0x
19B4
0x
19B8
0x
19BC
0x
19C0
0x
19D0
0x
19D4
0x
19D8
0x
19DC
0x
19E0
0x
19E4
0x
19F0
0x
19F4
0x
19F8
0x
19FC
0x
1A00
0x
1A04
0x
1A08
0x
1A0C
0x
1A10
0x
1A14
0x
1A18
0x
1A1C
0x
1A34
0x
1A38
0x
1A3C
0x
1A40
0x
1A44
0x
1A4C
0x
1A50
0x
1A54
0x
1A58
0x
1A5C
0x
1A60
0x
1A64
0x
1A68
0x
1A74
0x
1A78
0x
1A7C
0x
1A80
0x
1A84
0x
1A8C
0x
1A90
0x
1A94
0x
1A98
0x
1A9C
0x
1AA0
0x
1AA4
0x
1AA8
0x
1AC8
0x
1ACC
0x
1AD0
0x
1AD4
0x
1AD8
0x
1ADC
0x
1AE0
0x
1AE4
0x
1AE8
0x
1AEC
0x
1AF0
0x
1AF4
0x
1AF8
0x
1AFC
0x
1B0C
0x
1B10
0x
1B14
0x
1B18
0x
1B1C
0x
1B20
0x
1B24
0x
1B28
0x
1B2C
0x
1B30
0x
1B34
0x
1B38
0x
1B3C
0x
1B40
0x
1B44
0x
1B48
0x
1B4C
0x
1B50
0x
1B54
0x
1B58
0x
1B5C
0x
1B60
0x
1B64
0x
1B68
0x
1B6C
0x
1B70
0x
1B74
0x
1B78
0x
1B7C
0x
1B80
0x
1B84
0x
1B88
0x
1B8C
0x
1B90
0x
1B94
0x
1B98
0x
1B9C
0x
1BA0
0x
1BA4
0x
1BA8
0x
1BAC
0x
1BB0
0x
1BB4
0x
1BB8
0x
1BBC
0x
1BC0
0x
1BC4
0x
1BCC
0x
1BD0
0x
1BD4
0x
1BD8
0x
1BDC
0x
1BE0
0x
1BE4
0x
1BE8
0x
1BEC
0x
1BF0
0x
1BF4
0x
1BF8
0x
1BFC
0x
1904
0x
190C
0x
18C8
0x
1950
0x
DC8
0x
DD8
0x
197C
0x
1894
0x
1908
0x
17CC
0x
17FC
0x
186C
0x
1174
0x
17E0
0x
19C8
0x
19CC
0x
19C4
0x
1948
0x
196C
0x
19A8
0x
1944
0x
1988
0x
1968
0x
19EC
0x
19E8
0x
874
0x
1A30
0x
194C
0x
1890
0x
17D4
0x
17C8
0x
1A20
0x
1AAC
0x
1AB4
0x
1B00
0x
1ABC
0x
1A70
0x
1B04
0x
1A6C
0x
1AC4
0x
1AB8
0x
EE0
0x
208
0x
1FC
0x
1AB0
0x
2C0
0x
558
0x
520
0x
29C
0x
264
0x
928
0x
300
0x
6B0
0x
734
0x
140
0x
864
0x
A68
0x
5EC
0x
634
0x
6FC
0x
834
0x
830
0x
43C
0x
14C
0x
7A8
0x
FC
0x
6B8
0x
4F4
0x
48C
0x
5FC
0x
1C04
0x
1C08
0x
1C0C
0x
1C10
0x
1C14
0x
1C18
0x
1C1C
0x
1C20
0x
1C24
0x
1C28
0x
1C2C
0x
1C30
0x
1C34
0x
1C38
0x
1C3C
0x
1C40
0x
1C44
0x
1C48
0x
1C4C
0x
1C50
0x
1C54
0x
1C58
0x
1C5C
0x
1C60
0x
1C64
0x
1C68
0x
1C70
0x
1C74
0x
1C78
0x
1C7C
0x
1C80
0x
1C84
0x
1C88
0x
1C8C
0x
1C90
0x
1C94
0x
1CA0
0x
1CA4
0x
1CA8
0x
1CAC
0x
1CB0
0x
1CB4
0x
1CB8
0x
1CBC
0x
1CC0
0x
1CC4
0x
1CC8
0x
1CCC
0x
1CD0
0x
1CD4
0x
1CD8
0x
1CDC
0x
1CE0
0x
1CE4
0x
1CE8
0x
1CEC
0x
1CF0
0x
1CF4
0x
1CF8
0x
1CFC
0x
1D00
0x
1D04
0x
1D08
0x
1D0C
0x
1D10
0x
1D14
0x
1D18
0x
1D1C
0x
1D20
0x
1D24
0x
1D28
0x
1D2C
0x
1D30
0x
1D3C
0x
1D40
0x
1D44
0x
1D48
0x
1D4C
0x
1D50
0x
1D54
0x
1D58
0x
1D5C
0x
1D60
0x
1D64
0x
1D6C
0x
1D70
0x
1D74
0x
1D78
0x
1D7C
0x
1D84
0x
1D88
0x
1D8C
0x
1D90
0x
1D94
0x
1D98
0x
1D9C
0x
1DA0
0x
1DA4
0x
1DA8
0x
1DAC
0x
1DB0
0x
1DB4
0x
1DB8
0x
1DBC
0x
1DC0
0x
1DC4
0x
1DC8
0x
1DCC
0x
1DD0
0x
1DD4
0x
1DD8
0x
1DDC
0x
1DE0
0x
1DE4
0x
1DE8
0x
1DEC
0x
1DF0
0x
1DF4
0x
1DF8
0x
1DFC
0x
1E00
0x
1E04
0x
1E08
0x
1E0C
0x
1E10
0x
1E14
0x
1E18
0x
1E1C
0x
1E20
0x
1E24
0x
1E28
0x
1E2C
0x
1E30
0x
1E34
0x
1E38
0x
1E50
0x
1E54
0x
1E5C
0x
1E60
0x
1E64
0x
1E68
0x
1E70
0x
1E7C
0x
1E80
0x
1E84
0x
1E88
0x
1E8C
0x
1E90
0x
1E94
0x
1E98
0x
1E9C
0x
1EA0
0x
1EA4
0x
1EA8
0x
1EAC
0x
1EB0
0x
1EB4
0x
1EB8
0x
1EBC
0x
1EC0
0x
1EC4
0x
1EC8
0x
1ECC
0x
1ED0
0x
1ED4
0x
1ED8
0x
1EDC
0x
1EE0
0x
1EE4
0x
1EE8
0x
1EEC
0x
1F04
0x
1F08
0x
1F0C
0x
1F10
0x
1F14
0x
1F18
0x
1F1C
0x
1F20
0x
1F2C
0x
1F30
0x
1F34
0x
1F38
0x
1F3C
0x
1F40
0x
1F48
0x
1F4C
0x
1F50
0x
1F54
0x
1F58
0x
1F5C
0x
1F60
0x
1F68
0x
1F6C
0x
1F70
0x
1F74
0x
1F78
0x
1F7C
0x
1F80
0x
1F84
0x
1F90
0x
1F94
0x
1F98
0x
1F9C
0x
1FA0
0x
1FA4
0x
1FA8
0x
1FAC
0x
1FB0
0x
1FB4
0x
1FC0
0x
1FC4
0x
1FC8
0x
1FCC
0x
1FD0
0x
1FD4
0x
1FD8
0x
1FDC
0x
1FE0
0x
1FE4
0x
1FE8
0x
1FF4
0x
1FF8
0x
1FFC
0x
DFC
0x
17C4
0x
5F0
0x
91C
0x
17C0
0x
172C
0x
17B8
0x
17DC
0x
178C
0x
1728
0x
464
0x
440
0x
E4C
0x
AB4
0x
EC
0x
454
0x
508
0x
1EF4
0x
1D98
0x
1E78
0x
424
0x
1E58
0x
45C
0x
1EF0
0x
1E74
0x
420
0x
1F28
0x
1F20
0x
1FBC
0x
2004
0x
2008
0x
200C
0x
2010
0x
2018
0x
201C
0x
2020
0x
2024
0x
202C
0x
2030
0x
2034
0x
2038
0x
203C
0x
2040
0x
2044
0x
2048
0x
204C
0x
2050
0x
2098
0x
209C
0x
20A0
0x
20A4
0x
20A8
0x
20AC
0x
20B0
0x
20B4
0x
20B8
0x
20BC
0x
20C0
0x
20C4
0x
20C8
0x
20CC
0x
20D0
0x
20D4
0x
20D8
0x
20DC
0x
20E0
0x
20E4
0x
20E8
0x
20EC
0x
20F0
0x
20F4
0x
20F8
0x
20FC
0x
2100
0x
2104
0x
2108
0x
210C
0x
2110
0x
2114
0x
2118
0x
211C
0x
2120
0x
2124
0x
2128
0x
212C
0x
2130
0x
2134
0x
2138
0x
213C
0x
2140
0x
2144
0x
2148
0x
214C
0x
2150
0x
2154
0x
2158
0x
215C
0x
2160
0x
2164
0x
2168
0x
216C
0x
2170
0x
2174
0x
2178
0x
217C
0x
2180
0x
2184
0x
2188
0x
218C
0x
2190
0x
2194
0x
2198
0x
219C
0x
21A0
0x
21A4
0x
21A8
0x
21AC
0x
21B0
0x
21B4
0x
21B8
0x
21BC
0x
21C0
0x
21C4
0x
21C8
0x
21CC
0x
21D0
0x
21D4
0x
21D8
0x
21DC
0x
21E0
0x
21E4
0x
21E8
0x
21EC
0x
21F0
0x
21F4
0x
21F8
0x
21FC
0x
2200
0x
2204
0x
2208
0x
220C
0x
2210
0x
2214
0x
2218
0x
221C
0x
2220
0x
2224
0x
2228
0x
222C
0x
2230
0x
2234
0x
2238
0x
223C
0x
2240
0x
2244
0x
2248
0x
224C
0x
2250
0x
2254
0x
2258
0x
225C
0x
2260
0x
2264
0x
2268
0x
226C
0x
2270
0x
2274
0x
2278
0x
227C
0x
2280
0x
2284
0x
2288
0x
228C
0x
2290
0x
2294
0x
2298
0x
229C
0x
22A0
0x
22A4
0x
22A8
0x
22AC
0x
22B0
0x
22B4
0x
22B8
0x
22BC
0x
22C0
0x
22C4
0x
22C8
0x
22CC
0x
22D0
0x
22D4
0x
22D8
0x
22DC
0x
22E0
0x
22E4
0x
22E8
0x
22EC
0x
22F0
0x
22F4
0x
22F8
0x
22FC
0x
2300
0x
2304
0x
2308
0x
230C
0x
2310
0x
2314
0x
2318
0x
231C
0x
2320
0x
2324
0x
2328
0x
232C
0x
2330
0x
2334
0x
2338
0x
233C
0x
2340
0x
2344
0x
2348
0x
234C
0x
2350
0x
2354
0x
2358
0x
235C
0x
2360
0x
2364
0x
2368
0x
236C
0x
2370
0x
2374
0x
2378
0x
237C
0x
2380
0x
2384
0x
2388
0x
238C
0x
2390
0x
2394
0x
2398
0x
239C
0x
23A0
0x
23A4
0x
23A8
0x
23AC
0x
23B0
0x
23B4
0x
23B8
0x
23BC
0x
23C0
0x
23C4
0x
23C8
0x
23CC
0x
23D0
0x
23D4
0x
23D8
0x
23DC
0x
23E0
0x
23E4
0x
23E8
0x
23EC
0x
23F0
0x
23F4
0x
23F8
0x
23FC
0x
1498
0x
13A8
0x
858
0x
1298
0x
13A4
0x
1E4C
0x
129C
0x
1294
0x
11B8
0x
2074
0x
123C
0x
205C
0x
2064
0x
2058
0x
1190
0x
1234
0x
1238
0x
1C6C
0x
1E48
0x
119C
0x
118C
0x
207C
0x
2014
0x
1F64
0x
DB0
0x
CA8
0x
CDC
0x
2068
0x
1EF8
0x
17BC
0x
1F44
0x
1F24
0x
2070
0x
2078
0x
1F8C
0x
206C
0x
15C
0x
2060
0x
1F88
0x
2054
0x
2028
0x
1FEC
0x
1FB8
0x
9E8
0x
A88
0x
A18
0x
9FC
0x
A20
0x
808
0x
A1C
0x
A30
0x
9F0
0x
A04
0x
AC0
0x
AF0
0x
AF8
0x
AFC
0x
B04
0x
B14
0x
B28
0x
1184
0x
A08
0x
B00
0x
2084
0x
2080
0x
A98
0x
13E0
0x
124C
0x
1198
0x
1244
0x
1248
0x
1C98
0x
1E6C
0x
11A0
0x
1194
0x
40
0x
52C
0x
C8C
0x
CAC
0x
C90
0x
2CC
0x
208C
0x
278
0x
368
0x
1E44
0x
1E40
0x
1D38
0x
1D80
0x
1E3C
0x
1F00
0x
1D68
0x
DA8
0x
23F0
0x
DAC
0x
DA4
0x
DA0
0x
D9C
0x
D98
0x
D94
0x
D90
0x
D8C
0x
D88
0x
D84
0x
D80
0x
9FC
0x
D7C
0x
D78
0x
AA8
0x
D74
0x
D70
0x
D6C
0x
D68
0x
D64
0x
D5C
0x
D60
0x
2404
0x
2408
0x
240C
0x
2410
0x
2414
0x
2418
0x
241C
0x
2420
0x
2424
0x
2430
0x
2434
0x
2438
0x
243C
0x
2440
0x
2444
0x
2448
0x
244C
0x
2450
0x
2454
0x
2458
0x
245C
0x
2464
0x
2468
0x
246C
0x
2470
0x
2474
0x
2478
0x
247C
0x
2480
0x
2484
0x
2488
0x
248C
0x
2490
0x
2494
0x
2498
0x
249C
0x
24A4
0x
24A8
0x
24AC
0x
24B0
0x
24B4
0x
24B8
0x
24BC
0x
24C0
0x
24C4
0x
24C8
0x
24CC
0x
24D0
0x
24D4
0x
24D8
0x
24DC
0x
24E0
0x
24E4
0x
24E8
0x
24EC
0x
24F0
0x
24F4
0x
24F8
0x
24FC
0x
2500
0x
2504
0x
2508
0x
250C
0x
2510
0x
2514
0x
251C
0x
2520
0x
2524
0x
2528
0x
252C
0x
2530
0x
2534
0x
2538
0x
253C
0x
2540
0x
2544
0x
2548
0x
254C
0x
2558
0x
255C
0x
2560
0x
2564
0x
2568
0x
256C
0x
2570
0x
2574
0x
2578
0x
257C
0x
2580
0x
2584
0x
2588
0x
258C
0x
2598
0x
259C
0x
25A0
0x
25A4
0x
25A8
0x
25AC
0x
25B0
0x
25B4
0x
25B8
0x
25BC
0x
25C0
0x
25C4
0x
25C8
0x
25CC
0x
25D0
0x
25D4
0x
25D8
0x
25DC
0x
25E0
0x
25E4
0x
25E8
0x
25EC
0x
25F0
0x
25F4
0x
25F8
0x
25FC
0x
2600
0x
2604
0x
2608
0x
260C
0x
2610
0x
2614
0x
2618
0x
261C
0x
2620
0x
2624
0x
2628
0x
262C
0x
2630
0x
2634
0x
2638
0x
263C
0x
2640
0x
2644
0x
2648
0x
264C
0x
2650
0x
2654
0x
2658
0x
265C
0x
2660
0x
2664
0x
2668
0x
266C
0x
2670
0x
2674
0x
2678
0x
267C
0x
2680
0x
2684
0x
2688
0x
268C
0x
2690
0x
2694
0x
2698
0x
269C
0x
26A0
0x
26A4
0x
26A8
0x
26AC
0x
26B0
0x
26B4
0x
26B8
0x
26BC
0x
26C0
0x
26C4
0x
26C8
0x
26CC
0x
26D0
0x
26D4
0x
26D8
0x
26DC
0x
26E0
0x
26E4
0x
26E8
0x
26EC
0x
26F0
0x
26F4
0x
26F8
0x
26FC
0x
2700
0x
2704
0x
2708
0x
270C
0x
2710
0x
2714
0x
2718
0x
271C
0x
2720
0x
2724
0x
2728
0x
272C
0x
2730
0x
2734
0x
2738
0x
273C
0x
2740
0x
2744
0x
2748
0x
274C
0x
2750
0x
2754
0x
2758
0x
275C
0x
2760
0x
2764
0x
2768
0x
276C
0x
2770
0x
2774
0x
2778
0x
277C
0x
2780
0x
2784
0x
2788
0x
278C
0x
2790
0x
2794
0x
2798
0x
279C
0x
27A0
0x
27A4
0x
27A8
0x
27AC
0x
27B0
0x
27B4
0x
27B8
0x
27BC
0x
27C0
0x
27C4
0x
27C8
0x
27CC
0x
27D0
0x
27D4
0x
27D8
0x
27DC
0x
27E0
0x
27E4
0x
27E8
0x
27EC
0x
27F0
0x
27F4
0x
27F8
0x
27FC
0x
1D34
0x
D54
0x
524
0x
C14
0x
E00
0x
618
0x
2460
0x
2C8
0x
8D0
0x
D50
0x
2518
0x
242C
0x
1C9C
0x
2428
0x
A28
0x
2090
0x
139C
0x
AB8
0x
CF0
0x
2554
0x
1EFC
0x
2590
0x
AA0
0x
ABC
0x
2550
0x
24A0
0x
CF4
0x
A9C
0x
AAC
0x
AA4
0x
2804
0x
2808
0x
280C
0x
2810
0x
2814
0x
2818
0x
281C
0x
2820
0x
2824
0x
2828
0x
282C
0x
2830
0x
2834
0x
2838
0x
283C
0x
2840
0x
2844
0x
2848
0x
284C
0x
2850
0x
2854
0x
2858
0x
285C
0x
2860
0x
2864
0x
2868
0x
286C
0x
2870
0x
2874
0x
2878
0x
287C
0x
2880
0x
2884
0x
2888
0x
288C
0x
2890
0x
2894
0x
2898
0x
289C
0x
28A0
0x
28A4
0x
28A8
0x
28AC
0x
28B0
0x
28B4
0x
28B8
0x
28BC
0x
28C0
0x
28C4
0x
28C8
0x
28CC
0x
28D0
0x
28D4
0x
28D8
0x
28DC
0x
28E0
0x
28E4
0x
28E8
0x
28EC
0x
28F0
0x
28F4
0x
28F8
0x
28FC
0x
2900
0x
2904
0x
2908
0x
290C
0x
2910
0x
2914
0x
2918
0x
291C
0x
2920
0x
2924
0x
2928
0x
292C
0x
2930
0x
2934
0x
2938
0x
293C
0x
2940
0x
2944
0x
2948
0x
294C
0x
2950
0x
2954
0x
2958
0x
295C
0x
2960
0x
2964
0x
2968
0x
296C
0x
2970
0x
2974
0x
2978
0x
297C
0x
2980
0x
2984
0x
2988
0x
298C
0x
2990
0x
2994
0x
2998
0x
299C
0x
29A0
0x
29A4
0x
29A8
0x
29AC
0x
29B0
0x
29B4
0x
29B8
0x
29BC
0x
29C0
0x
29C4
0x
29C8
0x
29CC
0x
29D0
0x
29DC
0x
29E0
0x
29E4
0x
29E8
0x
29EC
0x
29F0
0x
29F4
0x
2A00
0x
2A04
0x
2A08
0x
2A0C
0x
2A10
0x
2A14
0x
2A18
0x
2A1C
0x
2A20
0x
2A24
0x
2A28
0x
2A2C
0x
2A30
0x
2A34
0x
2A38
0x
2A3C
0x
2A40
0x
2A44
0x
2A48
0x
2A4C
0x
2A50
0x
2A54
0x
2A60
0x
2A64
0x
2A68
0x
2A6C
0x
2A70
0x
2A74
0x
2A78
0x
2A7C
0x
2A80
0x
2A84
0x
2A88
0x
2A8C
0x
2A94
0x
2AA0
0x
2AA4
0x
2AA8
0x
2AAC
0x
2AB0
0x
2AB4
0x
2AB8
0x
2ABC
0x
2AC8
0x
2ACC
0x
2AD0
0x
2AD4
0x
2AD8
0x
2ADC
0x
2AE0
0x
2AE4
0x
2AE8
0x
2AEC
0x
2AF0
0x
2AF4
0x
2AF8
0x
2B00
0x
2B04
0x
2B08
0x
2B0C
0x
2B10
0x
2B14
0x
2B18
0x
2B1C
0x
2B20
0x
2B24
0x
2B28
0x
2B2C
0x
2B30
0x
2B38
0x
2B3C
0x
2B40
0x
2B44
0x
2B48
0x
2B4C
0x
2B50
0x
2B54
0x
2B58
0x
2B5C
0x
2B60
0x
2B64
0x
2B6C
0x
2B70
0x
2B74
0x
2B78
0x
2B7C
0x
2B80
0x
2B84
0x
2B88
0x
2B8C
0x
2B90
0x
2B94
0x
2B98
0x
2B9C
0x
2BA0
0x
2BA4
0x
2BA8
0x
2BAC
0x
2BB0
0x
2BB4
0x
2BB8
0x
2BBC
0x
2BC0
0x
2BC4
0x
2BC8
0x
2BCC
0x
2BD0
0x
2BD4
0x
2BDC
0x
2BE0
0x
2BE4
0x
2BE8
0x
2BEC
0x
2BF0
0x
2BF4
0x
2BF8
0x
2BFC
0x
E88
0x
28EC
0x
29FC
0x
2AC4
0x
2C04
0x
2C1C
0x
2C20
0x
2C24
0x
2C28
0x
2C2C
0x
2C30
0x
2C34
0x
2C38
0x
2C3C
0x
2C40
0x
2C44
0x
2C48
0x
2C4C
0x
2C50
0x
2C54
0x
2C58
0x
2C5C
0x
2C60
0x
2C64
0x
2C68
0x
2C6C
0x
2C70
0x
2C74
0x
2C78
0x
2C7C
0x
2C80
0x
2C84
0x
2C88
0x
2C8C
0x
2C90
0x
2C94
0x
2C98
0x
2C9C
0x
2CA0
0x
2CA4
0x
2CA8
0x
2CAC
0x
2CB0
0x
2CB4
0x
2CB8
0x
2CBC
0x
2CC0
0x
2CC4
0x
2CC8
0x
2CCC
0x
2CD0
0x
2CD4
0x
2CD8
0x
2CDC
0x
2CE0
0x
2CE4
0x
2CE8
0x
2CEC
0x
2CF0
0x
2CF4
0x
2CF8
0x
2CFC
0x
2D00
0x
2D04
0x
2D08
0x
2D0C
0x
2D10
0x
2D14
0x
2D18
0x
2D1C
0x
2D20
0x
2D24
0x
2D28
0x
2D2C
0x
2D30
0x
2D34
0x
2D38
0x
2D3C
0x
2D40
0x
2D44
0x
2D48
0x
2D4C
0x
2D50
0x
2D54
0x
2D58
0x
2D5C
0x
2D60
0x
2D64
0x
2D68
0x
2D6C
0x
2D70
0x
2D74
0x
2D78
0x
2D7C
0x
2D80
0x
2D84
0x
2D88
0x
2D8C
0x
2D90
0x
2D94
0x
2D98
0x
2D9C
0x
2DA0
0x
2DA4
0x
2DA8
0x
2DAC
0x
2DB0
0x
2DB4
0x
2DB8
0x
2DBC
0x
2DC0
0x
2DC4
0x
2DC8
0x
2DCC
0x
2DD0
0x
2DD4
0x
2DD8
0x
2DDC
0x
2DE0
0x
2DE4
0x
2DE8
0x
2DEC
0x
2DF0
0x
2DF4
0x
2DF8
0x
2DFC
0x
2E00
0x
2E04
0x
2E08
0x
2E0C
0x
2E10
0x
2E14
0x
2E18
0x
2E1C
0x
2E20
0x
2E24
0x
2E28
0x
2E2C
0x
2E30
0x
2E34
0x
2E38
0x
2E3C
0x
2E40
0x
2E44
0x
2E48
0x
2E4C
0x
2E50
0x
2E54
0x
2E58
0x
2E5C
0x
2E60
0x
2E64
0x
2E68
0x
2E6C
0x
2E70
0x
2E74
0x
2E78
0x
2E7C
0x
2E80
0x
2E84
0x
2E88
0x
2E8C
0x
2E90
0x
2E94
0x
2E98
0x
2E9C
0x
2EA0
0x
2EA4
0x
2EA8
0x
2EAC
0x
2EB0
0x
2EB4
0x
2EB8
0x
2EBC
0x
2EC0
0x
2EC4
0x
2EC8
0x
2ECC
0x
2ED0
0x
2ED4
0x
2ED8
0x
2EDC
0x
2EE0
0x
2EE4
0x
2EE8
0x
2EEC
0x
2EF0
0x
2EF4
0x
2EF8
0x
2EFC
0x
2F00
0x
2F04
0x
2F08
0x
2F0C
0x
2F10
0x
2F14
0x
2F18
0x
2F1C
0x
2F20
0x
2F24
0x
2F28
0x
2F2C
0x
2F30
0x
2F34
0x
2F38
0x
2F3C
0x
2F40
0x
2F44
0x
2F48
0x
2F4C
0x
2F50
0x
2F54
0x
2F58
0x
2F5C
0x
2F60
0x
2F64
0x
2F68
0x
2F6C
0x
2F70
0x
2F74
0x
2F78
0x
2F7C
0x
2F80
0x
2F84
0x
2F88
0x
2F8C
0x
2F90
0x
2F94
0x
2F98
0x
2F9C
0x
2FA0
0x
2FA4
0x
2FA8
0x
2FAC
0x
2FB0
0x
2FB4
0x
2FB8
0x
2FBC
0x
2FC0
0x
2FC4
0x
2FC8
0x
2FCC
0x
2FD0
0x
2FD4
0x
2FD8
0x
2FDC
0x
2FE0
0x
2FE4
0x
2FE8
0x
2FEC
0x
2FF0
0x
2FF4
0x
2FF8
0x
2FFC
0x
1AC0
0x
2C0C
0x
29D8
0x
2A60
0x
2A5C
0x
2B68
0x
29D4
0x
2C14
0x
2C18
0x
2C10
0x
2A90
0x
2A58
0x
2A9C
0x
29F8
0x
2B34
0x
2C08
0x
2A98
0x
2BD8
0x
2AFC
0x
2AC0
0x
3004
0x
3008
0x
300C
0x
3010
0x
3014
0x
3018
0x
301C
0x
3020
0x
3024
0x
3028
0x
302C
0x
3030
0x
3034
0x
3038
0x
303C
0x
3040
0x
3044
0x
3048
0x
304C
0x
3050
0x
3054
0x
3058
0x
305C
0x
3060
0x
3064
0x
3068
0x
306C
0x
3070
0x
3074
0x
3078
0x
307C
0x
3080
0x
3084
0x
3088
0x
308C
0x
3090
0x
3094
0x
3098
0x
309C
0x
30A0
0x
30A4
0x
30A8
0x
30AC
0x
30B0
0x
30B4
0x
30B8
0x
30BC
0x
30C0
0x
30C4
0x
30C8
0x
30CC
0x
30D0
0x
30D4
0x
30D8
0x
30DC
0x
30E0
0x
30E4
0x
30E8
0x
30EC
0x
30F0
0x
30F4
0x
30F8
0x
30FC
0x
3100
0x
3104
0x
3108
0x
310C
0x
3110
0x
3114
0x
3118
0x
311C
0x
3120
0x
3124
0x
3128
0x
312C
0x
3130
0x
3134
0x
3138
0x
313C
0x
3140
0x
3144
0x
3148
0x
314C
0x
3150
0x
3154
0x
3158
0x
315C
0x
3160
0x
3164
0x
3168
0x
316C
0x
3170
0x
3174
0x
3178
0x
317C
0x
3180
0x
3184
0x
3188
0x
318C
0x
3190
0x
3194
0x
3198
0x
319C
0x
31A0
0x
31A4
0x
31A8
0x
31AC
0x
31B0
0x
31B4
0x
31B8
0x
31BC
0x
31C0
0x
31C4
0x
31C8
0x
31CC
0x
31D0
0x
31D4
0x
31D8
0x
31DC
0x
31E0
0x
31E4
0x
31E8
0x
31EC
0x
31F0
0x
31F4
0x
31F8
0x
31FC
0x
3200
0x
3204
0x
3208
0x
320C
0x
3210
0x
3214
0x
3218
0x
321C
0x
3220
0x
3224
0x
3228
0x
322C
0x
3230
0x
3234
0x
3238
0x
323C
0x
3240
0x
3244
0x
3248
0x
324C
0x
3250
0x
3254
0x
3258
0x
325C
0x
3260
0x
3264
0x
3268
0x
326C
0x
3270
0x
3274
0x
3278
0x
327C
0x
3280
0x
3284
0x
3288
0x
328C
0x
3290
0x
3294
0x
3298
0x
329C
0x
32A0
0x
32A4
0x
32A8
0x
32AC
0x
32B0
0x
32B4
0x
32B8
0x
32BC
0x
32C0
0x
32C4
0x
32C8
0x
32CC
0x
32D0
0x
32D4
0x
32D8
0x
32DC
0x
32E0
0x
32E4
0x
32E8
0x
32EC
0x
32F0
0x
32F4
0x
32F8
0x
32FC
0x
3300
0x
3304
0x
3308
0x
330C
0x
3310
0x
3314
0x
3318
0x
331C
0x
3320
0x
3324
0x
3328
0x
332C
0x
3330
0x
3334
0x
3338
0x
333C
0x
3340
0x
3344
0x
3348
0x
334C
0x
3350
0x
3354
0x
3358
0x
335C
0x
3360
0x
3364
0x
3368
0x
336C
0x
3370
0x
3374
0x
3378
0x
337C
0x
3380
0x
3384
0x
3388
0x
338C
0x
3390
0x
3394
0x
3398
0x
339C
0x
33A0
0x
33A4
0x
33A8
0x
33AC
0x
33B0
0x
33B4
0x
33B8
0x
33BC
0x
33C0
0x
33C4
0x
33C8
0x
33CC
0x
33D0
0x
33D4
0x
33D8
0x
33DC
0x
33E0
0x
33E4
0x
33E8
0x
33EC
0x
33F0
0x
33F4
0x
3404
0x
3408
0x
340C
0x
3410
0x
3414
0x
3418
0x
341C
0x
3428
0x
342C
0x
3430
0x
3434
0x
343C
0x
3440
0x
3444
0x
3448
0x
344C
0x
3450
0x
3454
0x
3458
0x
345C
0x
3460
0x
3464
0x
346C
0x
3470
0x
3474
0x
3478
0x
347C
0x
3480
0x
3484
0x
3488
0x
348C
0x
3490
0x
3494
0x
3498
0x
349C
0x
34A0
0x
34A4
0x
34A8
0x
34AC
0x
34B0
0x
34B4
0x
34B8
0x
34BC
0x
34C0
0x
34C4
0x
34C8
0x
34CC
0x
34D0
0x
34D4
0x
34D8
0x
34DC
0x
34E0
0x
34E4
0x
34E8
0x
34EC
0x
34F0
0x
34F4
0x
34F8
0x
34FC
0x
3500
0x
3504
0x
3508
0x
350C
0x
3510
0x
3514
0x
3518
0x
351C
0x
3520
0x
3524
0x
3528
0x
352C
0x
3530
0x
3534
0x
3538
0x
353C
0x
3540
0x
3544
0x
3548
0x
354C
0x
3550
0x
3554
0x
3558
0x
355C
0x
3560
0x
3564
0x
3568
0x
356C
0x
3570
0x
3574
0x
3578
0x
357C
0x
3580
0x
3584
0x
3588
0x
358C
0x
3590
0x
3594
0x
3598
0x
359C
0x
35A0
0x
35A4
0x
35A8
0x
35AC
0x
35B0
0x
35B4
0x
35B8
0x
35BC
0x
35C0
0x
35C4
0x
35C8
0x
35CC
0x
35D0
0x
35D4
0x
35D8
0x
35DC
0x
35E8
0x
35EC
0x
35F0
0x
35F4
0x
35F8
0x
35FC
0x
3600
0x
3604
0x
3608
0x
360C
0x
3610
0x
3614
0x
3618
0x
3628
0x
362C
0x
3630
0x
3634
0x
3638
0x
363C
0x
3640
0x
3644
0x
364C
0x
3650
0x
3654
0x
3658
0x
365C
0x
3660
0x
3664
0x
3668
0x
366C
0x
3670
0x
3674
0x
3678
0x
367C
0x
3680
0x
3684
0x
3688
0x
368C
0x
3690
0x
3694
0x
3698
0x
369C
0x
36A0
0x
36A4
0x
36AC
0x
36B0
0x
36B4
0x
36B8
0x
36BC
0x
36C0
0x
36C4
0x
36C8
0x
36CC
0x
36D0
0x
36D4
0x
36D8
0x
36DC
0x
36E0
0x
36E4
0x
36E8
0x
36EC
0x
36F0
0x
36F4
0x
36F8
0x
36FC
0x
3700
0x
3704
0x
3708
0x
370C
0x
3710
0x
3714
0x
3718
0x
371C
0x
3720
0x
3728
0x
372C
0x
3730
0x
3734
0x
3738
0x
373C
0x
3740
0x
3744
0x
3748
0x
374C
0x
3750
0x
3754
0x
3758
0x
375C
0x
3760
0x
3764
0x
3768
0x
376C
0x
3770
0x
3774
0x
3778
0x
377C
0x
3780
0x
3784
0x
3788
0x
378C
0x
3790
0x
3794
0x
379C
0x
37A0
0x
37A4
0x
37A8
0x
37AC
0x
37B0
0x
37B4
0x
37B8
0x
37BC
0x
37C0
0x
37C4
0x
37C8
0x
37CC
0x
37D0
0x
37D4
0x
37D8
0x
37DC
0x
37E0
0x
37EC
0x
37F0
0x
37F4
0x
37F8
0x
37FC
0x
33C8
0x
1998
0x
3424
0x
34DC
0x
1448
0x
3624
0x
1A88
0x
3808
0x
380C
0x
3810
0x
3814
0x
3818
0x
381C
0x
3820
0x
3824
0x
3828
0x
382C
0x
3830
0x
3838
0x
383C
0x
3840
0x
3844
0x
3848
0x
384C
0x
3850
0x
3854
0x
3858
0x
385C
0x
3860
0x
3864
0x
3868
0x
386C
0x
3870
0x
3874
0x
3878
0x
387C
0x
3880
0x
3884
0x
3888
0x
388C
0x
3890
0x
3894
0x
3898
0x
389C
0x
38A0
0x
38A4
0x
38A8
0x
38AC
0x
38B8
0x
38BC
0x
38C0
0x
38C4
0x
38C8
0x
38CC
0x
38D0
0x
38D4
0x
38D8
0x
38DC
0x
38E0
0x
38E4
0x
38E8
0x
38EC
0x
38F0
0x
38F4
0x
38F8
0x
38FC
0x
3900
0x
3904
0x
3908
0x
390C
0x
3910
0x
3914
0x
3918
0x
391C
0x
3920
0x
3924
0x
3928
0x
392C
0x
3930
0x
3934
0x
3938
0x
393C
0x
3940
0x
3944
0x
3948
0x
394C
0x
3950
0x
3954
0x
3958
0x
395C
0x
3960
0x
3964
0x
3968
0x
396C
0x
3974
0x
3978
0x
397C
0x
3980
0x
3984
0x
3988
0x
398C
0x
3990
0x
3994
0x
3998
0x
399C
0x
39A0
0x
39A4
0x
39A8
0x
39AC
0x
39B0
0x
39B4
0x
39B8
0x
39BC
0x
39C0
0x
39C4
0x
39C8
0x
39CC
0x
39D0
0x
39D4
0x
39D8
0x
39DC
0x
39E0
0x
39E4
0x
39E8
0x
39EC
0x
39F0
0x
39F4
0x
39F8
0x
39FC
0x
3A00
0x
3A04
0x
3A08
0x
3A0C
0x
3A10
0x
3A14
0x
3A18
0x
3A1C
0x
3A20
0x
3A24
0x
3A28
0x
3A2C
0x
3A30
0x
3A34
0x
3A38
0x
3A3C
0x
3A40
0x
3A44
0x
3A48
0x
3A4C
0x
3A50
0x
3A54
0x
3A58
0x
3A5C
0x
3A60
0x
3A64
0x
3A68
0x
3A6C
0x
3A70
0x
3A74
0x
3A78
0x
3A7C
0x
3A80
0x
3A84
0x
3A88
0x
3A8C
0x
3A90
0x
3A94
0x
3A98
0x
3A9C
0x
3AA0
0x
3AA4
0x
3AA8
0x
3AAC
0x
3AB0
0x
3AB4
0x
3AB8
0x
3ABC
0x
3AC0
0x
3AC4
0x
3AC8
0x
3ACC
0x
3AD0
0x
3AD4
0x
3AD8
0x
3ADC
0x
3AE0
0x
3AE4
0x
3AE8
0x
3AEC
0x
3AF0
0x
3AF4
0x
3AF8
0x
3AFC
0x
3B00
0x
3B04
0x
3B08
0x
3B0C
0x
3B10
0x
3B14
0x
3B18
0x
3B1C
0x
3B20
0x
3B24
0x
3B28
0x
3B2C
0x
3B30
0x
3B34
0x
3B38
0x
3B3C
0x
3B40
0x
3B44
0x
3B48
0x
3B4C
0x
3B50
0x
3B54
0x
3B58
0x
3B5C
0x
3B60
0x
3B64
0x
3B68
0x
3B6C
0x
3B70
0x
3B74
0x
3B78
0x
3B7C
0x
3B80
0x
3B84
0x
3B88
0x
3B8C
0x
3B90
0x
3B94
0x
3B98
0x
3B9C
0x
3BA0
0x
3BA4
0x
3BA8
0x
3BAC
0x
3BB0
0x
3BB4
0x
3BB8
0x
3BBC
0x
3BC0
0x
3BC4
0x
3BC8
0x
3BCC
0x
3BD0
0x
3BD4
0x
3BD8
0x
3BDC
0x
3BE0
0x
3BE4
0x
3BE8
0x
3BEC
0x
3BF0
0x
3BF4
0x
3BF8
0x
3BFC
0x
38B4
0x
3970
0x
35E4
0x
36A8
0x
3804
0x
37E8
0x
3834
0x
3798
0x
3648
0x
33FC
0x
3C04
0x
3C08
0x
3C0C
0x
3C10
0x
3C14
0x
3C18
0x
3C1C
0x
3C20
0x
3C24
0x
3C28
0x
3C2C
0x
3C30
0x
3C34
0x
3C38
0x
3C3C
0x
3C40
0x
3C44
0x
3C48
0x
3C4C
0x
3C50
0x
3C54
0x
3C58
0x
3C5C
0x
3C60
0x
3C64
0x
3C68
0x
3C6C
0x
3C70
0x
3C74
0x
3C78
0x
3C7C
0x
3C80
0x
3C84
0x
3C88
0x
3C8C
0x
3C90
0x
3C94
0x
3C98
0x
3C9C
0x
3CA0
0x
3CA4
0x
3CA8
0x
3CAC
0x
3CB0
0x
3CB4
0x
3CB8
0x
3CBC
0x
3CC0
0x
3CC4
0x
3CC8
0x
3CD4
0x
3CD8
0x
3CDC
0x
3CE0
0x
3CE4
0x
3CE8
0x
3CEC
0x
3CF0
0x
3CF4
0x
3CF8
0x
3CFC
0x
3D00
0x
3D04
0x
3D08
0x
3D0C
0x
3D10
0x
3D14
0x
3D18
0x
3D1C
0x
3D20
0x
3D24
0x
3D28
0x
3D2C
0x
3D30
0x
3D34
0x
3D38
0x
3D3C
0x
3D40
0x
3D44
0x
3D48
0x
3D4C
0x
3D50
0x
3D54
0x
3D58
0x
3D5C
0x
3D60
0x
3D64
0x
3D68
0x
3D6C
0x
3D70
0x
3D74
0x
3D78
0x
3D7C
0x
3D80
0x
3D84
0x
3D88
0x
3D8C
0x
3D90
0x
3D94
0x
3D98
0x
3D9C
0x
3DA0
0x
3DA4
0x
3DA8
0x
3DAC
0x
3DB0
0x
3DB4
0x
3DB8
0x
3DBC
0x
3DC0
0x
3DC4
0x
3DC8
0x
3DCC
0x
3DD0
0x
3DD4
0x
3DD8
0x
3DDC
0x
3DE0
0x
3DE4
0x
3DE8
0x
3DEC
0x
3DF0
0x
3DF4
0x
3DF8
0x
3DFC
0x
3E00
0x
3E04
0x
3E08
0x
3E0C
0x
3E10
0x
3E14
0x
3E18
0x
3E1C
0x
3E20
0x
3E24
0x
3E28
0x
3E2C
0x
3E34
0x
3E38
0x
3E3C
0x
3E40
0x
3E44
0x
3E48
0x
3E4C
0x
3E50
0x
3E54
0x
3E58
0x
3E5C
0x
3E60
0x
3E64
0x
3E68
0x
3E6C
0x
3E70
0x
3E74
0x
3E78
0x
3E7C
0x
3E80
0x
3E84
0x
3E88
0x
3E8C
0x
3E90
0x
3E94
0x
3E98
0x
3E9C
0x
3EA0
0x
3EA4
0x
3EA8
0x
3EB4
0x
3EB8
0x
3EBC
0x
3EC0
0x
3EC4
0x
3EC8
0x
3ECC
0x
3ED0
0x
3ED4
0x
3ED8
0x
3EDC
0x
3EE0
0x
3EE4
0x
3EE8
0x
3EEC
0x
3EF0
0x
3EF4
0x
3EF8
0x
3EFC
0x
3F00
0x
3F04
0x
3F08
0x
3F0C
0x
3F10
0x
3F14
0x
3F18
0x
3F1C
0x
3F20
0x
3F24
0x
3F28
0x
3F2C
0x
3F30
0x
3F34
0x
3F38
0x
3F3C
0x
3F40
0x
3F44
0x
3F4C
0x
3F50
0x
3F54
0x
3F58
0x
3F5C
0x
3F60
0x
3F64
0x
3F68
0x
3F6C
0x
3F70
0x
3F74
0x
3F78
0x
3F7C
0x
3F80
0x
3F84
0x
3F90
0x
3F94
0x
3F98
0x
3F9C
0x
3FA0
0x
3FA4
0x
3FA8
0x
3FAC
0x
3FB0
0x
3FB4
0x
3FB8
0x
3FBC
0x
3FC0
0x
3FC4
0x
3FC8
0x
3FCC
0x
3FD0
0x
3FD4
0x
3FD8
0x
3FDC
0x
3FE0
0x
3FE4
0x
3FE8
0x
3FEC
0x
3FF0
0x
3FF4
0x
3FF8
0x
3FFC
0x
3468
0x
3724
0x
361C
0x
3438
0x
38B0
0x
35E0
0x
37E4
0x
3620
0x
33F8
0x
3420
0x
4004
0x
4008
0x
400C
0x
4010
0x
4014
0x
4018
0x
401C
0x
4020
0x
4024
0x
4028
0x
402C
0x
4030
0x
4034
0x
403C
0x
4040
0x
4044
0x
4048
0x
404C
0x
4050
0x
4054
0x
4058
0x
405C
0x
4060
0x
4064
0x
4068
0x
406C
0x
4070
0x
4074
0x
4078
0x
407C
0x
4080
0x
4084
0x
4088
0x
408C
0x
4090
0x
4094
0x
4098
0x
409C
0x
40A0
0x
40A4
0x
40A8
0x
40AC
0x
40B0
0x
40B4
0x
40B8
0x
40BC
0x
40C0
0x
40C4
0x
40C8
0x
40CC
0x
40D0
0x
40D4
0x
40D8
0x
40DC
0x
40E0
0x
40E4
0x
40E8
0x
40EC
0x
40F0
0x
40F4
0x
40F8
0x
40FC
0x
4100
0x
4104
0x
4108
0x
410C
0x
4110
0x
4114
0x
4118
0x
411C
0x
4120
0x
4124
0x
4128
0x
412C
0x
4130
0x
4134
0x
4138
0x
413C
0x
4140
0x
4144
0x
4148
0x
414C
0x
4150
0x
4154
0x
4158
0x
415C
0x
4160
0x
4164
0x
4168
0x
416C
0x
4170
0x
4174
0x
4178
0x
417C
0x
4180
0x
4184
0x
4188
0x
418C
0x
4190
0x
4194
0x
4198
0x
419C
0x
41A0
0x
41A4
0x
41A8
0x
41AC
0x
41B0
0x
41B4
0x
41B8
0x
41BC
0x
41C0
0x
41C4
0x
41C8
0x
41CC
0x
41D0
0x
41D4
0x
41D8
0x
41DC
0x
41E0
0x
41E4
0x
41E8
0x
41EC
0x
41F0
0x
41F4
0x
41F8
0x
41FC
0x
4200
0x
4204
0x
4208
0x
420C
0x
4210
0x
4214
0x
4218
0x
421C
0x
4220
0x
4224
0x
4228
0x
422C
0x
4230
0x
4234
0x
4238
0x
423C
0x
4240
0x
4244
0x
4248
0x
424C
0x
4250
0x
4254
0x
4258
0x
425C
0x
4260
0x
4264
0x
4268
0x
426C
0x
4270
0x
4274
0x
4278
0x
427C
0x
4280
0x
4284
0x
4288
0x
428C
0x
4290
0x
4294
0x
4298
0x
429C
0x
42A0
0x
42A4
0x
42A8
0x
42AC
0x
42B0
0x
42B4
0x
42B8
0x
42BC
0x
42C0
0x
42C4
0x
42C8
0x
42CC
0x
42D0
0x
42D4
0x
42D8
0x
42DC
0x
42E0
0x
42E4
0x
42E8
0x
42EC
0x
42F0
0x
42F4
0x
42F8
0x
42FC
0x
4300
0x
4304
0x
4308
0x
430C
0x
4310
0x
4314
0x
4318
0x
431C
0x
4320
0x
4324
0x
4328
0x
432C
0x
4330
0x
4334
0x
4338
0x
433C
0x
4340
0x
4344
0x
4348
0x
434C
0x
4350
0x
4354
0x
4358
0x
435C
0x
4360
0x
4364
0x
4368
0x
436C
0x
4370
0x
4374
0x
4378
0x
437C
0x
4380
0x
4384
0x
4388
0x
438C
0x
4390
0x
4394
0x
439C
0x
4398
0x
43A0
0x
43A4
0x
43A8
0x
43AC
0x
43B0
0x
43B4
0x
43BC
0x
43C0
0x
43C4
0x
43C8
0x
43CC
0x
43D0
0x
43D4
0x
43D8
0x
43DC
0x
43E0
0x
43E4
0x
43E8
0x
43EC
0x
43F0
0x
43F4
0x
43F8
0x
43FC
0x
F5C
0x
F58
0x
4404
0x
4408
0x
440C
0x
4410
0x
4414
0x
4418
0x
441C
0x
4420
0x
4424
0x
4428
0x
442C
0x
4430
0x
4434
0x
4438
0x
443C
0x
4440
0x
4444
0x
4448
0x
444C
0x
4450
0x
4454
0x
4458
0x
445C
0x
4460
0x
4464
0x
4468
0x
446C
0x
4470
0x
4474
0x
4478
0x
447C
0x
4480
0x
4484
0x
4488
0x
448C
0x
4490
0x
4494
0x
4498
0x
449C
0x
44A0
0x
44A4
0x
44A8
0x
44AC
0x
44B0
0x
44B4
0x
44B8
0x
44BC
0x
44C0
0x
44C4
0x
44C8
0x
44CC
0x
44D0
0x
44D4
0x
44E8
0x
44EC
0x
44F0
0x
44F4
0x
44F8
0x
44FC
0x
4500
0x
4504
0x
4508
0x
450C
0x
4510
0x
4514
0x
4518
0x
451C
0x
4520
0x
4524
0x
4528
0x
452C
0x
4530
0x
4534
0x
4538
0x
453C
0x
4540
0x
4544
0x
4548
0x
4550
0x
4554
0x
4558
0x
455C
0x
4560
0x
4568
0x
456C
0x
4570
0x
4574
0x
4578
0x
457C
0x
4580
0x
4584
0x
4588
0x
458C
0x
4590
0x
4594
0x
4598
0x
459C
0x
45A0
0x
45A4
0x
45A8
0x
45AC
0x
45B0
0x
45B4
0x
45B8
0x
45BC
0x
45C0
0x
45C4
0x
45C8
0x
45CC
0x
45D0
0x
45D4
0x
45D8
0x
45DC
0x
45E0
0x
45E4
0x
45E8
0x
45EC
0x
45F0
0x
45F4
0x
45F8
0x
45FC
0x
4600
0x
4604
0x
4608
0x
460C
0x
4610
0x
4614
0x
4618
0x
461C
0x
4620
0x
4624
0x
4628
0x
462C
0x
4630
0x
4634
0x
4638
0x
463C
0x
4640
0x
4644
0x
4648
0x
464C
0x
4658
0x
465C
0x
4660
0x
4664
0x
4668
0x
466C
0x
4670
0x
4674
0x
4678
0x
467C
0x
4680
0x
4684
0x
4688
0x
468C
0x
4690
0x
4698
0x
469C
0x
46A0
0x
46A4
0x
46A8
0x
46AC
0x
46B0
0x
46B4
0x
46B8
0x
46BC
0x
46C0
0x
46C4
0x
46C8
0x
46CC
0x
46D0
0x
46EC
0x
46F0
0x
46F4
0x
46F8
0x
46FC
0x
4700
0x
4704
0x
4718
0x
471C
0x
4720
0x
4724
0x
4728
0x
472C
0x
4730
0x
4734
0x
4738
0x
4750
0x
4754
0x
4758
0x
475C
0x
4760
0x
4764
0x
4768
0x
476C
0x
4770
0x
4774
0x
4778
0x
477C
0x
4780
0x
4784
0x
4788
0x
478C
0x
4790
0x
4794
0x
4798
0x
479C
0x
47A0
0x
47A4
0x
47A8
0x
47AC
0x
47B8
0x
47BC
0x
47C0
0x
47C4
0x
47C8
0x
47CC
0x
47D0
0x
47D4
0x
47D8
0x
47DC
0x
47E0
0x
47E4
0x
47E8
0x
47EC
0x
47F0
0x
47F4
0x
47F8
0x
47FC
0x
439C
0x
44E4
0x
46D0
0x
470C
0x
4804
0x
4808
0x
480C
0x
4810
0x
4814
0x
4818
0x
481C
0x
4820
0x
4824
0x
4828
0x
482C
0x
4830
0x
4834
0x
4838
0x
483C
0x
4840
0x
4844
0x
4848
0x
484C
0x
4850
0x
4854
0x
4860
0x
4864
0x
4868
0x
486C
0x
4870
0x
4874
0x
4878
0x
487C
0x
4880
0x
4884
0x
4888
0x
488C
0x
4890
0x
4894
0x
4898
0x
489C
0x
48A0
0x
48A4
0x
48A8
0x
48AC
0x
48B0
0x
48B4
0x
48B8
0x
48BC
0x
48C0
0x
48C4
0x
48C8
0x
48CC
0x
48D0
0x
48D4
0x
48D8
0x
48DC
0x
48E0
0x
48E4
0x
48E8
0x
48EC
0x
48F0
0x
48F4
0x
48F8
0x
48FC
0x
4900
0x
4904
0x
4908
0x
490C
0x
4910
0x
4914
0x
4918
0x
491C
0x
4920
0x
4924
0x
4928
0x
492C
0x
4930
0x
4934
0x
4938
0x
493C
0x
4940
0x
4944
0x
4948
0x
494C
0x
4950
0x
4954
0x
4958
0x
495C
0x
4960
0x
4964
0x
4968
0x
496C
0x
4970
0x
4974
0x
4978
0x
4980
0x
4984
0x
4988
0x
498C
0x
4990
0x
4994
0x
4998
0x
499C
0x
49A0
0x
49A4
0x
49A8
0x
49AC
0x
49B0
0x
49B4
0x
49B8
0x
49BC
0x
49C0
0x
49C4
0x
49C8
0x
49CC
0x
49D0
0x
49D4
0x
49D8
0x
49DC
0x
49E0
0x
49E4
0x
49E8
0x
49EC
0x
49F0
0x
49F4
0x
49F8
0x
49FC
0x
4A00
0x
4A04
0x
4A08
0x
4A0C
0x
4A10
0x
4A14
0x
4A18
0x
4A1C
0x
4A20
0x
4A24
0x
4A28
0x
4A2C
0x
4A30
0x
4A34
0x
4A38
0x
4A3C
0x
4A40
0x
4A44
0x
4A48
0x
4A4C
0x
4A50
0x
4A54
0x
4A58
0x
4A5C
0x
4A60
0x
4A64
0x
4A68
0x
4A6C
0x
4A70
0x
4A74
0x
4A78
0x
4A7C
0x
4A80
0x
4A84
0x
4A88
0x
4A8C
0x
4A90
0x
4A9C
0x
4AA0
0x
4AA4
0x
4AA8
0x
4AAC
0x
4AB0
0x
4AB4
0x
4AB8
0x
4ABC
0x
4AC0
0x
4AC4
0x
4AC8
0x
4ACC
0x
4AD0
0x
4AD4
0x
4AD8
0x
4ADC
0x
4AE0
0x
4AE4
0x
4AE8
0x
4AEC
0x
4AF0
0x
4AF4
0x
4AF8
0x
4AFC
0x
4B00
0x
4B04
0x
4B08
0x
4B0C
0x
4B10
0x
4B14
0x
4B18
0x
4B1C
0x
4B20
0x
4B24
0x
4B28
0x
4B2C
0x
4B30
0x
4B34
0x
4B38
0x
4B3C
0x
4B40
0x
4B44
0x
4B48
0x
4B4C
0x
4B50
0x
4B54
0x
4B58
0x
4B5C
0x
4B60
0x
4B64
0x
4B68
0x
4B6C
0x
4B70
0x
4B74
0x
4B78
0x
4B7C
0x
4B80
0x
4B84
0x
4B88
0x
4B8C
0x
4B90
0x
4B94
0x
4B98
0x
4B9C
0x
4BA0
0x
4BA4
0x
4BA8
0x
4BAC
0x
4BB0
0x
4BB4
0x
4BB8
0x
4BBC
0x
4BC0
0x
4BC8
0x
4BCC
0x
4BD0
0x
4BD4
0x
4BD8
0x
4BDC
0x
4BE0
0x
4BE4
0x
4BE8
0x
4BEC
0x
4BF0
0x
4BF4
0x
4BF8
0x
4BFC
0x
4C04
0x
4C08
0x
4C0C
0x
4C10
0x
4C14
0x
4C18
0x
4C1C
0x
4C20
0x
4C24
0x
4C28
0x
4C2C
0x
4C30
0x
4C34
0x
4C38
0x
4C3C
0x
4C40
0x
4C44
0x
4C48
0x
4C4C
0x
4C50
0x
4C54
0x
4C58
0x
4C5C
0x
4C60
0x
4C64
0x
4C68
0x
4C6C
0x
4C70
0x
4C74
0x
4C78
0x
4C7C
0x
4C80
0x
4C84
0x
4C88
0x
4C8C
0x
4C90
0x
4C94
0x
4C98
0x
4C9C
0x
4CA0
0x
4CA4
0x
4CA8
0x
4CAC
0x
4CB0
0x
4CB4
0x
4CB8
0x
4CBC
0x
4CC0
0x
4CC4
0x
4CC8
0x
4CCC
0x
4CD0
0x
4CD4
0x
4CD8
0x
4CDC
0x
4CE0
0x
4CE4
0x
4CE8
0x
4CEC
0x
4CF0
0x
4CF4
0x
4CF8
0x
4CFC
0x
4D00
0x
4D04
0x
4D08
0x
4D0C
0x
4D10
0x
4D14
0x
4D18
0x
4D1C
0x
4D20
0x
4D24
0x
4D28
0x
4D2C
0x
4D30
0x
4D34
0x
4D38
0x
4D3C
0x
4D40
0x
4D44
0x
4D48
0x
4D4C
0x
4D50
0x
4D54
0x
4D58
0x
4D5C
0x
4D60
0x
4D64
0x
4D68
0x
4D6C
0x
4D70
0x
4D74
0x
4D78
0x
4D7C
0x
4D80
0x
4D84
0x
4D88
0x
4D8C
0x
4D90
0x
4D94
0x
4D98
0x
4D9C
0x
4DA0
0x
4DA4
0x
4DA8
0x
4DAC
0x
4DB0
0x
4DB4
0x
4DB8
0x
4DBC
0x
4DC0
0x
4DC4
0x
4DC8
0x
4DCC
0x
4DD0
0x
4DD4
0x
4DD8
0x
4DDC
0x
4DE0
0x
4DE4
0x
4DE8
0x
4DEC
0x
4DF0
0x
4DF4
0x
4DF8
0x
4DFC
0x
4E00
0x
4E04
0x
4E08
0x
4E0C
0x
4E10
0x
4E14
0x
4E18
0x
4E1C
0x
4E20
0x
4E24
0x
4E28
0x
4E2C
0x
4E30
0x
4E34
0x
4E38
0x
4E3C
0x
4E40
0x
4E44
0x
4E48
0x
4E4C
0x
4E50
0x
4E54
0x
4E58
0x
4E5C
0x
4E60
0x
4E64
0x
4E68
0x
4E6C
0x
4E70
0x
4E74
0x
4E78
0x
4E7C
0x
4E80
0x
4E84
0x
4E88
0x
4E8C
0x
4E90
0x
4E94
0x
4E98
0x
4E9C
0x
4EA0
0x
4EA4
0x
4EA8
0x
4EAC
0x
4EB0
0x
4EB4
0x
4EB8
0x
4EBC
0x
4EC0
0x
4EC4
0x
4EC8
0x
4ECC
0x
4ED0
0x
4ED4
0x
4ED8
0x
4EDC
0x
4EE0
0x
4EE4
0x
4EE8
0x
4EEC
0x
4EF0
0x
4EF4
0x
4EF8
0x
4EFC
0x
4F00
0x
4F04
0x
4F08
0x
4F0C
0x
4F10
0x
4F14
0x
4F18
0x
4F1C
0x
4F20
0x
4F24
0x
4F28
0x
4F2C
0x
4F30
0x
4F34
0x
4F38
0x
4F3C
0x
4F40
0x
4F44
0x
4F48
0x
4F4C
0x
4F50
0x
4F54
0x
4F58
0x
4F5C
0x
4F60
0x
4F64
0x
4F68
0x
4F6C
0x
4F70
0x
4F74
0x
4F78
0x
4F7C
0x
4F80
0x
4F84
0x
4F88
0x
4F8C
0x
4F90
0x
4F94
0x
4F98
0x
4F9C
0x
4FA0
0x
4FA4
0x
4FA8
0x
4FAC
0x
4FB0
0x
4FB4
0x
4FB8
0x
4FBC
0x
4FC0
0x
4FC4
0x
4FC8
0x
4FCC
0x
4FD0
0x
4FD4
0x
4FD8
0x
4FDC
0x
4FE0
0x
4FE4
0x
4FE8
0x
4FEC
0x
4FF0
0x
4FF4
0x
4FF8
0x
4FFC
0x
4748
0x
485C
0x
4744
0x
44DC
0x
4564
0x
46D8
0x
4694
0x
44D8
0x
454C
0x
44E0
0x
5004
0x
5008
0x
500C
0x
5010
0x
5014
0x
5018
0x
501C
0x
5020
0x
5024
0x
5028
0x
502C
0x
5030
0x
5034
0x
5038
0x
503C
0x
5040
0x
5044
0x
5048
0x
504C
0x
5050
0x
5054
0x
5058
0x
505C
0x
5060
0x
5064
0x
5068
0x
506C
0x
5070
0x
5074
0x
5078
0x
507C
0x
5080
0x
5084
0x
5088
0x
508C
0x
5090
0x
5094
0x
5098
0x
509C
0x
50A0
0x
50A4
0x
50A8
0x
50AC
0x
50B0
0x
50B4
0x
50B8
0x
50BC
0x
50C0
0x
50C4
0x
50C8
0x
50CC
0x
50D0
0x
50D4
0x
50D8
0x
50DC
0x
50E0
0x
50E4
0x
50E8
0x
50EC
0x
50F0
0x
50F4
0x
50F8
0x
50FC
0x
5100
0x
5104
0x
5108
0x
510C
0x
5110
0x
5114
0x
5118
0x
511C
0x
5120
0x
5124
0x
5128
0x
512C
0x
5130
0x
5134
0x
5138
0x
513C
0x
5140
0x
5144
0x
5148
0x
514C
0x
5150
0x
5154
0x
5158
0x
515C
0x
5168
0x
516C
0x
5170
0x
5174
0x
5178
0x
517C
0x
5180
0x
5184
0x
5188
0x
518C
0x
5190
0x
5194
0x
5198
0x
519C
0x
51A0
0x
51A4
0x
51A8
0x
51AC
0x
51B0
0x
51B4
0x
51B8
0x
51BC
0x
51C0
0x
51C4
0x
51C8
0x
51CC
0x
51D0
0x
51D4
0x
51D8
0x
51DC
0x
51E0
0x
51E4
0x
51E8
0x
51EC
0x
51F0
0x
51F4
0x
51F8
0x
51FC
0x
5200
0x
5204
0x
5208
0x
520C
0x
5210
0x
5214
0x
5218
0x
521C
0x
5220
0x
5224
0x
5228
0x
522C
0x
5230
0x
5234
0x
5238
0x
523C
0x
5240
0x
5244
0x
5248
0x
524C
0x
5250
0x
5254
0x
5258
0x
525C
0x
5260
0x
5264
0x
5268
0x
526C
0x
5270
0x
5274
0x
5278
0x
527C
0x
5280
0x
5284
0x
5288
0x
528C
0x
5290
0x
5294
0x
5298
0x
529C
0x
52A0
0x
52A4
0x
52A8
0x
52AC
0x
52B0
0x
52B4
0x
52B8
0x
52BC
0x
52C0
0x
52C4
0x
52C8
0x
52CC
0x
52D0
0x
52D4
0x
52D8
0x
52DC
0x
52E0
0x
52E4
0x
52E8
0x
52EC
0x
52F0
0x
52F4
0x
52F8
0x
52FC
0x
5300
0x
5304
0x
5308
0x
530C
0x
5310
0x
5314
0x
5318
0x
531C
0x
5320
0x
5324
0x
5328
0x
532C
0x
5330
0x
5334
0x
5338
0x
533C
0x
5340
0x
5344
0x
5348
0x
534C
0x
5350
0x
5354
0x
5358
0x
535C
0x
5360
0x
5364
0x
5368
0x
536C
0x
5370
0x
5374
0x
5378
0x
537C
0x
5380
0x
5384
0x
5388
0x
538C
0x
5390
0x
5394
0x
5398
0x
539C
0x
53A0
0x
53A4
0x
53A8
0x
53AC
0x
53B0
0x
53B4
0x
53B8
0x
53BC
0x
53C0
0x
53C4
0x
53C8
0x
53CC
0x
53D0
0x
53D4
0x
53D8
0x
53DC
0x
53E0
0x
53E4
0x
53E8
0x
53EC
0x
53F0
0x
53F4
0x
53F8
0x
53FC
0x
4A98
0x
4BC4
0x
4A94
0x
46E4
0x
47B0
0x
497C
0x
4858
0x
46E0
0x
473C
0x
4708
0x
F34
0x
5404
0x
5408
0x
540C
0x
5410
0x
5414
0x
5418
0x
541C
0x
5420
0x
5424
0x
5428
0x
542C
0x
5430
0x
5434
0x
5438
0x
543C
0x
5440
0x
5444
0x
5448
0x
544C
0x
5450
0x
5454
0x
5458
0x
545C
0x
5460
0x
5464
0x
5468
0x
546C
0x
5470
0x
5474
0x
5478
0x
547C
0x
5480
0x
5484
0x
5488
0x
548C
0x
5490
0x
5494
0x
5498
0x
549C
0x
54A0
0x
54A4
0x
54A8
0x
54AC
0x
54B0
0x
54B4
0x
54B8
0x
54BC
0x
54C0
0x
54C4
0x
54C8
0x
54CC
0x
54D0
0x
54D4
0x
54D8
0x
54DC
0x
54E0
0x
54E4
0x
54E8
0x
54EC
0x
54F0
0x
54F4
0x
54F8
0x
54FC
0x
5500
0x
5504
0x
5508
0x
550C
0x
5510
0x
5514
0x
5518
0x
551C
0x
5520
0x
5524
0x
5528
0x
5540
0x
5570
0x
5574
0x
5578
0x
557C
0x
5580
0x
5584
0x
5588
0x
558C
0x
5590
0x
5594
0x
5598
0x
559C
0x
55A0
0x
55A4
0x
55A8
0x
55AC
0x
55B0
0x
55B4
0x
55B8
0x
55BC
0x
55C0
0x
55C4
0x
55C8
0x
55CC
0x
55D0
0x
5600
0x
5604
0x
5608
0x
560C
0x
5610
0x
5614
0x
5618
0x
561C
0x
5620
0x
5624
0x
5628
0x
562C
0x
5630
0x
5634
0x
5638
0x
563C
0x
5640
0x
5644
0x
5648
0x
564C
0x
5650
0x
5654
0x
5658
0x
565C
0x
5660
0x
5664
0x
5668
0x
566C
0x
5670
0x
5674
0x
5678
0x
567C
0x
5680
0x
5684
0x
5688
0x
568C
0x
5690
0x
5694
0x
5698
0x
569C
0x
56A0
0x
56A4
0x
56A8
0x
56AC
0x
56B0
0x
56B4
0x
56B8
0x
56BC
0x
56C0
0x
56C4
0x
56C8
0x
56CC
0x
56D0
0x
56D4
0x
56D8
0x
56DC
0x
56E0
0x
56E4
0x
56E8
0x
56EC
0x
56F0
0x
56F4
0x
56F8
0x
56FC
0x
5700
0x
5704
0x
5708
0x
570C
0x
5710
0x
5714
0x
5718
0x
571C
0x
5720
0x
5724
0x
5728
0x
572C
0x
5730
0x
5734
0x
5738
0x
573C
0x
5740
0x
5744
0x
5748
0x
574C
0x
5750
0x
5754
0x
5758
0x
575C
0x
5760
0x
5764
0x
5768
0x
576C
0x
5770
0x
5774
0x
5778
0x
577C
0x
5780
0x
5784
0x
5788
0x
578C
0x
5790
0x
5794
0x
5798
0x
579C
0x
57A0
0x
57A4
0x
57A8
0x
57AC
0x
57B0
0x
57B4
0x
57B8
0x
57BC
0x
57C0
0x
57C4
0x
57C8
0x
57CC
0x
57D0
0x
57D4
0x
57D8
0x
57DC
0x
57E0
0x
57E4
0x
57E8
0x
57EC
0x
57F0
0x
57F4
0x
57F8
0x
57FC
0x
79C
0x
7A0
0x
5528
0x
5538
0x
5554
0x
5558
0x
5550
0x
5530
0x
5544
0x
554C
0x
5548
0x
552C
0x
553C
0x
5534
0x
1B08
0x
5564
0x
555C
0x
556C
0x
55D0
0x
55E0
0x
55F8
0x
55FC
0x
55D8
0x
55F4
0x
55E8
0x
55F0
0x
55D4
0x
55EC
0x
55E4
0x
55DC
0x
270
0x
4B0
0x
2F0
0x
4B4
0x
A60
0x
348
0x
3D8
0x
5804
0x
5808
0x
580C
0x
5810
0x
5814
0x
5818
0x
581C
0x
5820
0x
5824
0x
5828
0x
582C
0x
5830
0x
5834
0x
5838
0x
583C
0x
5840
0x
5844
0x
5848
0x
584C
0x
5850
0x
5854
0x
5858
0x
585C
0x
5860
0x
5864
0x
5868
0x
586C
0x
5870
0x
5874
0x
5878
0x
587C
0x
5880
0x
5884
0x
5888
0x
588C
0x
5890
0x
5894
0x
5898
0x
589C
0x
58A0
0x
58A4
0x
58A8
0x
58C4
0x
58C8
0x
58CC
0x
58D0
0x
58D4
0x
58DC
0x
58E0
0x
58F4
0x
58F8
0x
58FC
0x
5900
0x
5904
0x
5908
0x
590C
0x
5910
0x
5914
0x
5918
0x
591C
0x
5920
0x
5924
0x
5928
0x
592C
0x
5930
0x
5934
0x
5938
0x
593C
0x
5940
0x
5944
0x
5948
0x
594C
0x
5950
0x
5954
0x
5958
0x
595C
0x
5960
0x
5964
0x
5968
0x
596C
0x
5970
0x
5974
0x
5978
0x
597C
0x
5980
0x
5984
0x
5988
0x
598C
0x
5990
0x
5994
0x
5998
0x
599C
0x
59A0
0x
59A4
0x
59A8
0x
59AC
0x
59B0
0x
59B4
0x
59B8
0x
59BC
0x
59C0
0x
59C4
0x
59C8
0x
59CC
0x
59D0
0x
59D4
0x
59D8
0x
59DC
0x
59E0
0x
59E4
0x
59E8
0x
59EC
0x
59F0
0x
59F4
0x
59F8
0x
59FC
0x
5A00
0x
5A04
0x
5A08
0x
5A0C
0x
5A10
0x
5A14
0x
5A18
0x
5A1C
0x
5A20
0x
5A24
0x
5A28
0x
5A2C
0x
5A30
0x
5A34
0x
5A38
0x
5A3C
0x
5A40
0x
5A44
0x
5A64
0x
5A78
0x
5A7C
0x
5A80
0x
5A88
0x
5A8C
0x
5A90
0x
5A94
0x
5A98
0x
5A9C
0x
5AA0
0x
5AA4
0x
5AA8
0x
5AAC
0x
5AB0
0x
5AB4
0x
5AB8
0x
5ABC
0x
5AC0
0x
5AC4
0x
5AC8
0x
5ACC
0x
5AD0
0x
5AD4
0x
5AD8
0x
5ADC
0x
5AE0
0x
5AE4
0x
5AE8
0x
5AEC
0x
5AF0
0x
5AF4
0x
5AF8
0x
5AFC
0x
5B00
0x
5B04
0x
5B08
0x
5B0C
0x
5B10
0x
5B14
0x
5B18
0x
5B1C
0x
5B20
0x
5B24
0x
5B28
0x
5B2C
0x
5B30
0x
5B34
0x
5B38
0x
5B3C
0x
5B40
0x
5B44
0x
5B48
0x
5B4C
0x
5B50
0x
5B54
0x
5B58
0x
5B5C
0x
5B60
0x
5B64
0x
5B68
0x
5B6C
0x
5B70
0x
5B74
0x
5B78
0x
5B7C
0x
5B80
0x
5B84
0x
5B88
0x
5B8C
0x
5B90
0x
5B94
0x
5BA0
0x
5BA4
0x
5BA8
0x
5BAC
0x
5BB8
0x
5BBC
0x
5BC0
0x
5BC4
0x
5BC8
0x
5BD0
0x
5BDC
0x
5BE0
0x
5BE4
0x
5BE8
0x
5BEC
0x
5BF0
0x
5BF8
0x
5BFC
0x
5C8
0x
930
0x
95C
0x
A48
0x
3A4
0x
3F0
0x
3E4
0x
988
0x
380
0x
5160
0x
5164
0x
58A4
0x
58B8
0x
58EC
0x
58E4
0x
58D8
0x
58BC
0x
58E8
0x
58AC
0x
58B4
0x
599C
0x
5A54
0x
5A70
0x
5A74
0x
5A4C
0x
5A5C
0x
5A68
0x
5A60
0x
5A58
0x
5A84
0x
594
0x
5A6C
0x
5A48
0x
5A50
0x
E18
0x
DF8
0x
58C0
0x
5B9C
0x
5BD4
0x
5BF4
0x
5BD8
0x
58F0
0x
5B98
0x
5BB0
0x
5A50
0x
5B4C
0x
5C04
0x
5C08
0x
5C0C
0x
5C10
0x
5C14
0x
5C18
0x
5C1C
0x
5C20
0x
5C24
0x
5C28
0x
5C2C
0x
5C30
0x
5C34
0x
5C38
0x
5C3C
0x
5C40
0x
5C44
0x
5C48
0x
5C4C
0x
5C50
0x
5C54
0x
5C58
0x
5C5C
0x
5C60
0x
5C70
0x
5C74
0x
5C78
0x
5C7C
0x
5C80
0x
5C84
0x
5C88
0x
5C8C
0x
5C90
0x
5C94
0x
5C98
0x
5C9C
0x
5CA0
0x
5CA4
0x
5CA8
0x
5CAC
0x
5CB0
0x
5CB4
0x
5CB8
0x
5CBC
0x
5CC0
0x
5CC4
0x
5CC8
0x
5CCC
0x
5CD0
0x
5CD4
0x
5CD8
0x
5CDC
0x
5CE0
0x
5CE4
0x
5CE8
0x
5CEC
0x
5CF0
0x
5CF4
0x
5CF8
0x
5CFC
0x
5D00
0x
5D04
0x
5D08
0x
5D0C
0x
5D10
0x
5D14
0x
5D18
0x
5D1C
0x
5D20
0x
5D24
0x
5D28
0x
5D2C
0x
5D30
0x
5D34
0x
5D38
0x
5D3C
0x
5D40
0x
5D44
0x
5D48
0x
5D4C
0x
5D50
0x
5D54
0x
5D58
0x
5D5C
0x
5D60
0x
5D64
0x
5D68
0x
5D6C
0x
5D70
0x
5D74
0x
5D78
0x
5D7C
0x
5D80
0x
5D84
0x
5D88
0x
5D8C
0x
5D90
0x
5D94
0x
5D98
0x
5D9C
0x
5DA0
0x
5DA4
0x
5DA8
0x
5DAC
0x
5DB0
0x
5DB4
0x
5DB8
0x
5DBC
0x
5DC0
0x
5DC4
0x
5DC8
0x
5DCC
0x
5DD0
0x
5DD4
0x
5DD8
0x
5DDC
0x
5DE0
0x
5DE4
0x
5DE8
0x
5DEC
0x
5DF0
0x
5DF4
0x
5DF8
0x
5DFC
0x
5E00
0x
5E04
0x
5E08
0x
5E0C
0x
5E10
0x
5E14
0x
5E18
0x
5E1C
0x
5E20
0x
5E24
0x
5E28
0x
5E2C
0x
5E30
0x
5E34
0x
5E38
0x
5E3C
0x
5E40
0x
5E44
0x
5E48
0x
5E4C
0x
5E50
0x
5E54
0x
5E58
0x
5E5C
0x
5E60
0x
5E64
0x
5E68
0x
5E6C
0x
5E70
0x
5E74
0x
5E78
0x
5E7C
0x
5E80
0x
5E84
0x
5E88
0x
5E8C
0x
5E90
0x
5E94
0x
5E98
0x
5E9C
0x
5EA0
0x
5EA4
0x
5EA8
0x
5EAC
0x
5EB0
0x
5EB4
0x
5EB8
0x
5EBC
0x
5EC0
0x
5EC4
0x
5EC8
0x
5ECC
0x
5ED0
0x
5ED4
0x
5ED8
0x
5EDC
0x
5EE0
0x
5EE4
0x
5EE8
0x
5EEC
0x
5F24
0x
5F28
0x
5F2C
0x
5F30
0x
5F34
0x
5F38
0x
5F3C
0x
5F40
0x
5F44
0x
5F48
0x
5F4C
0x
5F50
0x
5F54
0x
5F58
0x
5F5C
0x
5F7C
0x
5F80
0x
5F84
0x
5F88
0x
5F9C
0x
5FA0
0x
5FA4
0x
5FA8
0x
5FAC
0x
5FB0
0x
5FB4
0x
5FB8
0x
5FBC
0x
5FC0
0x
5FC4
0x
5FC8
0x
5FCC
0x
5FD0
0x
5FD4
0x
5FD8
0x
5FDC
0x
5FE0
0x
5FE4
0x
5FE8
0x
5FEC
0x
5FF0
0x
5FF4
0x
5FF8
0x
5FFC
0x
5C68
0x
5C6C
0x
4038
0x
600
0x
5BCC
0x
58B0
0x
5BB4
0x
5C64
0x
43B8
0x
5E8
0x
78C
0x
A64
0x
5EEC
0x
5EFC
0x
5F1C
0x
5F20
0x
5EF4
0x
5F04
0x
5F14
0x
5F10
0x
5F0C
0x
5F08
0x
5F00
0x
5F18
0x
5EF0
0x
5EF8
0x
5F54
0x
5F6C
0x
5F94
0x
5F98
0x
5F64
0x
5F74
0x
5F8C
0x
5F78
0x
5F70
0x
5F90
0x
5F60
0x
5F68
0x
6004
0x
6008
0x
600C
0x
6010
0x
6014
0x
6018
0x
601C
0x
6020
0x
6024
0x
6028
0x
602C
0x
6030
0x
6034
0x
6038
0x
603C
0x
6040
0x
6044
0x
6048
0x
604C
0x
6050
0x
6054
0x
6058
0x
6070
0x
6074
0x
6078
0x
607C
0x
6080
0x
6084
0x
6088
0x
608C
0x
6090
0x
6094
0x
6098
0x
609C
0x
60A0
0x
60A4
0x
60A8
0x
60AC
0x
60B0
0x
60B4
0x
60B8
0x
60BC
0x
60C0
0x
60C4
0x
60C8
0x
60CC
0x
60D0
0x
60D4
0x
60D8
0x
60DC
0x
60E0
0x
60E4
0x
60E8
0x
60EC
0x
60F4
0x
60F8
0x
60FC
0x
6100
0x
6104
0x
6108
0x
610C
0x
6110
0x
6114
0x
6118
0x
611C
0x
6120
0x
6124
0x
6128
0x
612C
0x
6130
0x
6134
0x
6138
0x
613C
0x
6140
0x
6144
0x
6148
0x
614C
0x
6150
0x
6158
0x
615C
0x
6160
0x
6164
0x
6168
0x
616C
0x
6170
0x
6174
0x
6178
0x
617C
0x
6180
0x
6184
0x
6188
0x
618C
0x
6190
0x
6194
0x
61A4
0x
61A8
0x
61AC
0x
61B0
0x
61B4
0x
61BC
0x
61C0
0x
61C4
0x
61C8
0x
61CC
0x
61D0
0x
61D4
0x
61D8
0x
61DC
0x
61E0
0x
61E4
0x
61E8
0x
61EC
0x
61F0
0x
6204
0x
6224
0x
6228
0x
622C
0x
6230
0x
6234
0x
6238
0x
623C
0x
6240
0x
6244
0x
6248
0x
624C
0x
6250
0x
6254
0x
6258
0x
625C
0x
6260
0x
6264
0x
6268
0x
626C
0x
6270
0x
6274
0x
6278
0x
627C
0x
6280
0x
6284
0x
6288
0x
628C
0x
6290
0x
6294
0x
6298
0x
629C
0x
62A0
0x
62A4
0x
62A8
0x
62AC
0x
62B0
0x
62B4
0x
62B8
0x
62BC
0x
62C0
0x
62C4
0x
62C8
0x
62CC
0x
62D0
0x
62D4
0x
62D8
0x
62DC
0x
62E0
0x
62E4
0x
62E8
0x
62EC
0x
62F0
0x
62F4
0x
62F8
0x
62FC
0x
6300
0x
6304
0x
6308
0x
630C
0x
6310
0x
6314
0x
6318
0x
631C
0x
6320
0x
6324
0x
6328
0x
632C
0x
6330
0x
6334
0x
6338
0x
633C
0x
6340
0x
6344
0x
6348
0x
634C
0x
6350
0x
6354
0x
6358
0x
635C
0x
6360
0x
6364
0x
6368
0x
636C
0x
6370
0x
6374
0x
6378
0x
637C
0x
6380
0x
6384
0x
638C
0x
6390
0x
6394
0x
6398
0x
639C
0x
63A0
0x
63A4
0x
63A8
0x
63AC
0x
63B0
0x
63B4
0x
63B8
0x
63BC
0x
63C0
0x
63C4
0x
63C8
0x
63CC
0x
63D0
0x
63D4
0x
63D8
0x
63DC
0x
63E0
0x
63E4
0x
63E8
0x
63EC
0x
63F0
0x
63F4
0x
63F8
0x
63FC
0x
6068
0x
61F0
0x
6200
0x
61A0
0x
61B8
0x
6060
0x
60F0
0x
6198
0x
6154
0x
606C
0x
621C
0x
6220
0x
6218
0x
61F8
0x
620C
0x
6214
0x
61F4
0x
6210
0x
6208
0x
61FC
0x
619C
0x
605C
0x
6064
0x
6388
0x
6404
0x
6408
0x
640C
0x
6410
0x
6414
0x
6418
0x
641C
0x
6420
0x
6424
0x
6428
0x
642C
0x
6430
0x
6434
0x
6438
0x
643C
0x
6440
0x
6444
0x
6448
0x
644C
0x
6450
0x
6454
0x
6458
0x
645C
0x
6460
0x
6464
0x
6468
0x
646C
0x
6470
0x
6474
0x
6478
0x
647C
0x
6480
0x
6484
0x
6488
0x
648C
0x
6490
0x
6494
0x
6498
0x
649C
0x
64A0
0x
64A4
0x
64A8
0x
64AC
0x
64B0
0x
64B4
0x
64B8
0x
64BC
0x
64C0
0x
64C4
0x
64C8
0x
64CC
0x
64D0
0x
64D4
0x
64D8
0x
64DC
0x
64E0
0x
64E4
0x
64E8
0x
64EC
0x
64F0
0x
64F4
0x
64F8
0x
64FC
0x
6500
0x
6504
0x
6508
0x
650C
0x
6510
0x
6514
0x
6518
0x
651C
0x
6520
0x
6524
0x
6528
0x
652C
0x
6530
0x
6534
0x
6538
0x
653C
0x
6540
0x
6544
0x
6548
0x
654C
0x
6550
0x
6554
0x
6558
0x
655C
0x
6560
0x
6564
0x
6568
0x
656C
0x
6570
0x
65C4
0x
65C8
0x
65CC
0x
65D0
0x
65D4
0x
65D8
0x
65DC
0x
65E0
0x
65E4
0x
65E8
0x
65EC
0x
65F0
0x
65F4
0x
65F8
0x
65FC
0x
6600
0x
6604
0x
6608
0x
660C
0x
6610
0x
6614
0x
6618
0x
661C
0x
6620
0x
6624
0x
6628
0x
662C
0x
6630
0x
6634
0x
6638
0x
663C
0x
6640
0x
6644
0x
6648
0x
664C
0x
6650
0x
6654
0x
6658
0x
665C
0x
6660
0x
6664
0x
6668
0x
666C
0x
6670
0x
6674
0x
6678
0x
667C
0x
6680
0x
6684
0x
6688
0x
668C
0x
6690
0x
6694
0x
6698
0x
669C
0x
66A0
0x
66A4
0x
66A8
0x
66AC
0x
66B0
0x
66B4
0x
66B8
0x
66BC
0x
66C0
0x
66C4
0x
66C8
0x
66CC
0x
66E4
0x
66EC
0x
66F0
0x
66F4
0x
66F8
0x
66FC
0x
6700
0x
6704
0x
6708
0x
670C
0x
6710
0x
6714
0x
671C
0x
6720
0x
6724
0x
6728
0x
672C
0x
6730
0x
6734
0x
6738
0x
673C
0x
6750
0x
6754
0x
6758
0x
675C
0x
6760
0x
6764
0x
6768
0x
676C
0x
6770
0x
6774
0x
6778
0x
677C
0x
6780
0x
6784
0x
6788
0x
67A0
0x
67A4
0x
67B0
0x
67B4
0x
67BC
0x
67C0
0x
67C4
0x
67C8
0x
67D8
0x
67DC
0x
67E0
0x
67E4
0x
67E8
0x
67EC
0x
67F0
0x
67F4
0x
67F8
0x
67FC
0x
3EAC
0x
290
0x
46D4
0x
66CC
0x
66DC
0x
6748
0x
674C
0x
66D4
0x
66E8
0x
6740
0x
6718
0x
66E0
0x
6744
0x
66D0
0x
66D8
0x
6780
0x
6798
0x
67D0
0x
67D4
0x
6790
0x
67A8
0x
67B8
0x
67AC
0x
679C
0x
67CC
0x
678C
0x
6794
0x
6804
0x
6808
0x
680C
0x
6810
0x
6814
0x
6818
0x
681C
0x
6820
0x
6824
0x
6828
0x
682C
0x
6830
0x
6834
0x
6838
0x
683C
0x
6840
0x
6844
0x
6848
0x
684C
0x
6850
0x
6854
0x
6858
0x
685C
0x
6860
0x
6868
0x
686C
0x
6870
0x
6874
0x
6878
0x
687C
0x
6880
0x
6884
0x
6888
0x
688C
0x
6890
0x
6894
0x
6898
0x
689C
0x
68A0
0x
68A4
0x
68A8
0x
68AC
0x
68B0
0x
68B4
0x
68B8
0x
68BC
0x
68C0
0x
68C4
0x
68C8
0x
68CC
0x
68D0
0x
68D4
0x
68D8
0x
68DC
0x
68E0
0x
68E4
0x
68E8
0x
68EC
0x
68F0
0x
68F4
0x
68F8
0x
68FC
0x
6900
0x
6904
0x
6908
0x
690C
0x
6910
0x
6914
0x
6918
0x
691C
0x
6920
0x
6924
0x
6928
0x
692C
0x
6930
0x
6934
0x
6938
0x
693C
0x
6940
0x
6944
0x
6948
0x
694C
0x
6950
0x
6954
0x
6958
0x
695C
0x
6960
0x
6964
0x
6968
0x
6970
0x
6974
0x
697C
0x
6980
0x
6984
0x
6988
0x
698C
0x
6990
0x
6994
0x
6998
0x
699C
0x
69A0
0x
69A4
0x
69A8
0x
69AC
0x
69B0
0x
69B4
0x
69B8
0x
69BC
0x
69C0
0x
69C4
0x
69C8
0x
69CC
0x
69D0
0x
69D4
0x
69D8
0x
69DC
0x
69E0
0x
69E4
0x
69E8
0x
69EC
0x
69F0
0x
69F4
0x
69F8
0x
69FC
0x
6A00
0x
6A04
0x
6A08
0x
6A0C
0x
6A10
0x
6A1C
0x
6A20
0x
6A24
0x
6A28
0x
6A50
0x
6A54
0x
6A58
0x
6A5C
0x
6A60
0x
6A64
0x
6A68
0x
6A6C
0x
6A70
0x
6A74
0x
6A78
0x
6A7C
0x
6A80
0x
6A84
0x
6A88
0x
6A8C
0x
6A90
0x
6A94
0x
6A98
0x
6A9C
0x
6AA0
0x
6AA4
0x
6AA8
0x
6AAC
0x
6AB0
0x
6AB4
0x
6AB8
0x
6ABC
0x
6AC0
0x
6AC4
0x
6AC8
0x
6ACC
0x
6AD0
0x
6AD4
0x
6AD8
0x
6ADC
0x
6AE0
0x
6AE4
0x
6AE8
0x
6AEC
0x
6AF0
0x
6AF4
0x
6AF8
0x
6AFC
0x
6B00
0x
6B04
0x
6B08
0x
6B0C
0x
6B10
0x
6B14
0x
6B18
0x
6B1C
0x
6B20
0x
6B24
0x
6B28
0x
6B2C
0x
6B30
0x
6B34
0x
6B38
0x
6B3C
0x
6B40
0x
6B44
0x
6B48
0x
6B4C
0x
6B50
0x
6B54
0x
6B58
0x
6B5C
0x
6B60
0x
6B64
0x
6B68
0x
6B6C
0x
6B70
0x
6B74
0x
6B78
0x
6B7C
0x
6B80
0x
6B84
0x
6B88
0x
6B8C
0x
6B90
0x
6B94
0x
6B98
0x
6B9C
0x
6BA0
0x
6BA4
0x
6BA8
0x
6BAC
0x
6BB0
0x
6BB4
0x
6BB8
0x
6BBC
0x
6BC0
0x
6BC4
0x
6BC8
0x
6BCC
0x
6BD0
0x
6BD4
0x
6BD8
0x
6BDC
0x
6BE0
0x
6BE4
0x
6BE8
0x
6BEC
0x
6BF0
0x
6BF4
0x
6BF8
0x
6BFC
0x
880
0x
6A00
0x
6A30
0x
6A48
0x
6A4C
0x
6A18
0x
6A38
0x
6A40
0x
6A3C
0x
6A34
0x
6A44
0x
6A14
0x
6A2C
0x
6C04
0x
6C08
0x
6C0C
0x
6C10
0x
6C14
0x
6C18
0x
6C1C
0x
6C20
0x
6C24
0x
6C28
0x
6C2C
0x
6C30
0x
6C34
0x
6C38
0x
6C3C
0x
6C40
0x
6C44
0x
6C48
0x
6C4C
0x
6C50
0x
6C54
0x
6C58
0x
6C5C
0x
6C60
0x
6C64
0x
6C68
0x
6C6C
0x
6C70
0x
6C74
0x
6C78
0x
6C7C
0x
6C80
0x
6C84
0x
6C88
0x
6C8C
0x
6C90
0x
6C94
0x
6C98
0x
6C9C
0x
6CA0
0x
6CA4
0x
6CA8
0x
6CAC
0x
6CB0
0x
6CB4
0x
6CB8
0x
6CBC
0x
6CC0
0x
6CC4
0x
6CC8
0x
6CD4
0x
6CD8
0x
6CDC
0x
6CE8
0x
6CEC
0x
6CF0
0x
6CF4
0x
6CF8
0x
6CFC
0x
6D04
0x
6D0C
0x
6D10
0x
6D14
0x
6D18
0x
6D1C
0x
6D20
0x
6D24
0x
6D28
0x
6D2C
0x
6D30
0x
6D34
0x
6D38
0x
6D3C
0x
6D40
0x
6D44
0x
6D48
0x
6D4C
0x
6D50
0x
6D54
0x
6D58
0x
6D5C
0x
6D60
0x
6D64
0x
6D68
0x
6D6C
0x
6D70
0x
6D74
0x
6D78
0x
6D7C
0x
6D80
0x
6D84
0x
6D88
0x
6D8C
0x
6D94
0x
6D98
0x
6D9C
0x
6DA0
0x
6DA4
0x
6DA8
0x
6DAC
0x
6DB0
0x
6DB4
0x
6DB8
0x
6DBC
0x
6DC0
0x
6DC4
0x
6DC8
0x
6DCC
0x
6DD0
0x
6DD4
0x
6DD8
0x
6DDC
0x
6DE0
0x
6DE4
0x
6DE8
0x
6DEC
0x
6DF0
0x
6DF4
0x
6DFC
0x
6E00
0x
6E04
0x
6E08
0x
6E0C
0x
6E10
0x
6E1C
0x
6E20
0x
6E24
0x
6E28
0x
6E2C
0x
6E30
0x
6E34
0x
6E38
0x
6E3C
0x
6E40
0x
6E44
0x
6E48
0x
6E4C
0x
6E50
0x
6E54
0x
6E58
0x
6E5C
0x
6E60
0x
6E64
0x
6E68
0x
6E6C
0x
6E70
0x
6E74
0x
6E78
0x
6E7C
0x
6E80
0x
6E84
0x
6E88
0x
6E8C
0x
6E90
0x
6E94
0x
6E98
0x
6E9C
0x
6EA0
0x
6EA4
0x
6EA8
0x
6EAC
0x
6EB0
0x
6EB4
0x
6EB8
0x
6EBC
0x
6EC0
0x
6EC4
0x
6EC8
0x
6ECC
0x
6ED0
0x
6ED4
0x
6ED8
0x
6EDC
0x
6EE0
0x
6EE4
0x
6EE8
0x
6EEC
0x
6EF0
0x
6EF4
0x
6EF8
0x
6EFC
0x
6F00
0x
6F04
0x
6F08
0x
6F0C
0x
6F10
0x
6F14
0x
6F18
0x
6F1C
0x
6F20
0x
6F24
0x
6F28
0x
6F2C
0x
6F30
0x
6F34
0x
6F38
0x
6F3C
0x
6F40
0x
6F44
0x
6F48
0x
6F4C
0x
6F50
0x
6F54
0x
6F58
0x
6F5C
0x
6F60
0x
6F64
0x
6F68
0x
6F6C
0x
6F74
0x
6F78
0x
6F7C
0x
6F80
0x
6F84
0x
6F88
0x
6F8C
0x
6F90
0x
6F94
0x
6F98
0x
6F9C
0x
6FA0
0x
6FA4
0x
6FA8
0x
6FAC
0x
6FB0
0x
6FB4
0x
6FB8
0x
6FBC
0x
6FC0
0x
6FC4
0x
6FC8
0x
6FCC
0x
6FD0
0x
6FD4
0x
6FD8
0x
6FDC
0x
6FE0
0x
6FE4
0x
6FE8
0x
6FEC
0x
6FF0
0x
6FF4
0x
6FF8
0x
6FFC
0x
6C18
0x
6CE4
0x
6E18
0x
6F70
0x
6CD0
0x
6D08
0x
6DF8
0x
6D90
0x
6D00
0x
6E14
0x
6CCC
0x
6CE0
0x
7004
0x
7008
0x
700C
0x
7010
0x
7014
0x
7018
0x
701C
0x
7020
0x
7024
0x
7028
0x
702C
0x
7030
0x
7034
0x
7038
0x
703C
0x
7040
0x
7044
0x
7048
0x
704C
0x
7050
0x
7054
0x
7058
0x
705C
0x
7060
0x
7064
0x
7068
0x
706C
0x
7070
0x
7074
0x
7078
0x
707C
0x
7080
0x
7084
0x
7088
0x
708C
0x
7090
0x
7094
0x
7098
0x
709C
0x
70A0
0x
70A4
0x
70A8
0x
70AC
0x
70B0
0x
70B4
0x
70B8
0x
70BC
0x
70C0
0x
70C4
0x
70C8
0x
70CC
0x
70D0
0x
70D4
0x
70D8
0x
70DC
0x
70E0
0x
70E4
0x
70E8
0x
70EC
0x
70F0
0x
70F4
0x
70F8
0x
70FC
0x
7100
0x
7104
0x
7108
0x
710C
0x
7110
0x
7114
0x
7118
0x
711C
0x
7120
0x
7124
0x
7128
0x
712C
0x
7130
0x
7134
0x
7138
0x
713C
0x
7140
0x
7144
0x
7148
0x
714C
0x
7150
0x
7154
0x
7158
0x
715C
0x
7160
0x
7164
0x
7168
0x
716C
0x
7170
0x
7174
0x
7178
0x
717C
0x
7180
0x
7184
0x
7188
0x
718C
0x
7190
0x
7194
0x
7198
0x
719C
0x
71A0
0x
71A4
0x
71A8
0x
71AC
0x
71B0
0x
71B4
0x
71B8
0x
71BC
0x
71C0
0x
71C4
0x
71C8
0x
71CC
0x
71D0
0x
71D4
0x
71D8
0x
71DC
0x
71E0
0x
71E4
0x
71E8
0x
71EC
0x
71F0
0x
71F4
0x
71F8
0x
71FC
0x
7200
0x
7204
0x
7208
0x
720C
0x
7210
0x
7214
0x
7218
0x
721C
0x
7220
0x
7224
0x
7228
0x
7234
0x
7238
0x
724C
0x
7250
0x
7254
0x
7258
0x
725C
0x
7260
0x
7264
0x
7268
0x
726C
0x
7270
0x
7278
0x
727C
0x
7294
0x
72C4
0x
72C8
0x
72CC
0x
72D0
0x
72D4
0x
72D8
0x
72DC
0x
72E0
0x
72E4
0x
72E8
0x
72EC
0x
72F0
0x
72F4
0x
72F8
0x
72FC
0x
7300
0x
7304
0x
7308
0x
730C
0x
7310
0x
7314
0x
7318
0x
731C
0x
7320
0x
7324
0x
7328
0x
732C
0x
7330
0x
7334
0x
7338
0x
733C
0x
7340
0x
7344
0x
7348
0x
734C
0x
7350
0x
7354
0x
7358
0x
735C
0x
7360
0x
7364
0x
7368
0x
736C
0x
7370
0x
7374
0x
7378
0x
737C
0x
7380
0x
7384
0x
7388
0x
738C
0x
7390
0x
7394
0x
7398
0x
739C
0x
73A0
0x
73A4
0x
73A8
0x
73AC
0x
73B0
0x
73B4
0x
73B8
0x
73BC
0x
73C0
0x
73C4
0x
73C8
0x
73CC
0x
73D0
0x
73D4
0x
73D8
0x
73DC
0x
73E0
0x
73E4
0x
73E8
0x
73EC
0x
73F0
0x
73F4
0x
73F8
0x
73FC
0x
CCC
0x
1188
0x
1290
0x
1FF0
0x
7218
0x
7240
0x
7288
0x
728C
0x
7230
0x
7248
0x
7280
0x
7274
0x
7244
0x
7284
0x
722C
0x
723C
0x
3F4
0x
2B4
0x
608
0x
C20
0x
614
0x
2088
0x
7294
0x
740
0x
72A4
0x
850
0x
6EC
0x
540
0x
72BC
0x
72C0
0x
729C
0x
72AC
0x
72B4
0x
72B0
0x
72A8
0x
72B8
0x
7298
0x
72A0
0x
96C
0x
484
0x
7404
0x
7408
0x
740C
0x
7410
0x
7414
0x
7418
0x
741C
0x
7420
0x
7424
0x
7428
0x
742C
0x
7430
0x
7434
0x
7438
0x
743C
0x
7440
0x
7444
0x
7448
0x
744C
0x
7450
0x
7454
0x
7458
0x
745C
0x
7460
0x
7464
0x
7468
0x
746C
0x
7470
0x
7474
0x
7478
0x
747C
0x
7480
0x
7484
0x
7488
0x
748C
0x
7490
0x
7494
0x
7498
0x
749C
0x
74A0
0x
74A4
0x
74A8
0x
74AC
0x
74B0
0x
74B4
0x
74B8
0x
74BC
0x
74C0
0x
74C4
0x
74C8
0x
74CC
0x
74D0
0x
74D4
0x
74D8
0x
74DC
0x
74E0
0x
74E4
0x
74E8
0x
74EC
0x
74F0
0x
74F4
0x
74F8
0x
74FC
0x
7500
0x
7504
0x
7508
0x
750C
0x
7510
0x
7514
0x
7518
0x
751C
0x
7520
0x
7524
0x
7528
0x
752C
0x
7530
0x
7534
0x
7538
0x
753C
0x
7540
0x
7544
0x
7548
0x
754C
0x
7550
0x
7554
0x
7558
0x
755C
0x
7560
0x
7564
0x
7568
0x
756C
0x
7570
0x
7574
0x
7578
0x
757C
0x
7580
0x
7584
0x
7588
0x
758C
0x
7590
0x
7594
0x
7598
0x
759C
0x
75A0
0x
75A4
0x
75A8
0x
75AC
0x
75B0
0x
75B4
0x
75B8
0x
75BC
0x
75C0
0x
75C4
0x
75C8
0x
75CC
0x
75D0
0x
75D4
0x
75D8
0x
75DC
0x
75E0
0x
75E4
0x
75E8
0x
75EC
0x
75F0
0x
75F4
0x
75F8
0x
75FC
0x
7600
0x
7604
0x
7608
0x
760C
0x
7610
0x
7614
0x
7618
0x
761C
0x
7620
0x
7624
0x
7628
0x
762C
0x
7630
0x
7634
0x
7638
0x
763C
0x
7640
0x
7644
0x
7648
0x
764C
0x
7650
0x
7654
0x
7658
0x
765C
0x
7660
0x
7664
0x
7668
0x
766C
0x
7670
0x
7674
0x
7678
0x
767C
0x
7680
0x
7684
0x
7688
0x
768C
0x
7690
0x
7694
0x
7698
0x
769C
0x
76A0
0x
76A4
0x
76A8
0x
76AC
0x
76B0
0x
76B4
0x
76B8
0x
76BC
0x
76C0
0x
76C4
0x
76C8
0x
76CC
0x
76D0
0x
76D4
0x
76D8
0x
76DC
0x
76E0
0x
76E4
0x
76E8
0x
76EC
0x
76F0
0x
76F4
0x
76F8
0x
76FC
0x
7700
0x
7704
0x
7708
0x
770C
0x
7710
0x
7714
0x
7718
0x
771C
0x
7720
0x
7724
0x
7728
0x
772C
0x
7730
0x
7734
0x
7738
0x
773C
0x
7740
0x
7744
0x
7748
0x
774C
0x
7750
0x
7754
0x
7758
0x
775C
0x
7760
0x
7764
0x
7768
0x
776C
0x
7770
0x
7774
0x
7778
0x
777C
0x
7780
0x
7784
0x
7788
0x
778C
0x
7790
0x
7794
0x
7798
0x
779C
0x
77A0
0x
77A4
0x
77A8
0x
77AC
0x
77B0
0x
77B4
0x
77B8
0x
77BC
0x
77C0
0x
77C4
0x
77C8
0x
77CC
0x
77D0
0x
77D4
0x
77D8
0x
77DC
0x
77E0
0x
77E4
0x
77E8
0x
77EC
0x
77F0
0x
77F4
0x
77F8
0x
77FC
0x
2094
0x
8EC
0x
298
0x
2594
0x
7804
0x
7808
0x
780C
0x
7810
0x
7814
0x
7818
0x
781C
0x
7820
0x
7824
0x
7828
0x
782C
0x
7830
0x
7834
0x
7838
0x
783C
0x
7840
0x
7844
0x
7848
0x
784C
0x
7850
0x
7854
0x
7858
0x
785C
0x
7860
0x
7864
0x
7868
0x
786C
0x
7870
0x
7874
0x
7878
0x
787C
0x
7880
0x
7884
0x
7888
0x
788C
0x
7890
0x
7894
0x
7898
0x
789C
0x
78A0
0x
78A4
0x
78A8
0x
78AC
0x
78B0
0x
78B4
0x
78B8
0x
78BC
0x
78C0
0x
78C4
0x
78C8
0x
78CC
0x
78D0
0x
78D4
0x
78D8
0x
78DC
0x
78E0
0x
78E4
0x
78E8
0x
78EC
0x
78F0
0x
78F4
0x
78F8
0x
78FC
0x
7900
0x
7904
0x
7908
0x
790C
0x
7910
0x
7914
0x
7918
0x
791C
0x
7920
0x
7924
0x
7928
0x
792C
0x
7930
0x
7934
0x
7938
0x
793C
0x
7940
0x
7944
0x
7948
0x
794C
0x
7950
0x
7954
0x
7958
0x
795C
0x
7960
0x
7964
0x
7968
0x
796C
0x
7970
0x
7974
0x
7978
0x
797C
0x
7980
0x
7984
0x
7988
0x
798C
0x
7990
0x
7994
0x
7998
0x
799C
0x
79A0
0x
79A4
0x
79A8
0x
79AC
0x
79B0
0x
79B4
0x
79B8
0x
79BC
0x
79C0
0x
79C4
0x
79C8
0x
79CC
0x
79D0
0x
79D4
0x
79D8
0x
79DC
0x
79E0
0x
79E4
0x
79E8
0x
79EC
0x
79F0
0x
79F4
0x
79F8
0x
79FC
0x
7A00
0x
7A04
0x
7A08
0x
7A0C
0x
7A10
0x
7A14
0x
7A18
0x
7A1C
0x
7A20
0x
7A24
0x
7A28
0x
7A2C
0x
7A30
0x
7A34
0x
7A38
0x
7A3C
0x
7A40
0x
7A44
0x
7A48
0x
7A4C
0x
7A50
0x
7A54
0x
7A58
0x
7A5C
0x
7A60
0x
7A64
0x
7A68
0x
7A6C
0x
7A70
0x
7A74
0x
7A78
0x
7A7C
0x
7A80
0x
7A84
0x
7A88
0x
7A8C
0x
7A90
0x
7A94
0x
7A98
0x
7A9C
0x
7AA0
0x
7AA4
0x
7AA8
0x
7AAC
0x
7AB0
0x
7AB4
0x
7AB8
0x
7ABC
0x
7AC0
0x
7AC4
0x
7AC8
0x
7ACC
0x
7AD0
0x
7AD4
0x
7AD8
0x
7ADC
0x
7AE0
0x
7AE4
0x
7AE8
0x
7AEC
0x
7AF0
0x
7AF4
0x
7AF8
0x
7AFC
0x
7B00
0x
7B04
0x
7B08
0x
7B0C
0x
7B10
0x
7B14
0x
7B18
0x
7B1C
0x
7B20
0x
7B24
0x
7B28
0x
7B2C
0x
7B30
0x
7B34
0x
7B38
0x
7B3C
0x
7B40
0x
7B44
0x
7B48
0x
7B4C
0x
7B50
0x
7B54
0x
7B58
0x
7B5C
0x
7B60
0x
7B64
0x
7B68
0x
7B6C
0x
7B70
0x
7B74
0x
7B78
0x
7B7C
0x
7B80
0x
7B84
0x
7B88
0x
7B8C
0x
7B90
0x
7B94
0x
7B98
0x
7B9C
0x
7BA0
0x
7BA4
0x
7BA8
0x
7BAC
0x
7BB0
0x
7BB4
0x
7BB8
0x
7BBC
0x
7BC0
0x
7BC4
0x
7BC8
0x
7BCC
0x
7BD0
0x
7BD4
0x
7BD8
0x
7BDC
0x
7BE0
0x
7BE4
0x
7BE8
0x
7BEC
0x
7BF0
0x
7BF4
0x
7BF8
0x
7BFC
0x
7C04
0x
7C08
0x
7C0C
0x
7C10
0x
7C14
0x
7C18
0x
7C1C
0x
7C20
0x
7C24
0x
7C28
0x
7C2C
0x
7C30
0x
7C34
0x
7C38
0x
7C3C
0x
7C40
0x
7C44
0x
7C48
0x
7C4C
0x
7C50
0x
7C54
0x
7C58
0x
7C5C
0x
7C60
0x
7C64
0x
7C68
0x
7C6C
0x
7C70
0x
7C74
0x
7C78
0x
7C7C
0x
7C80
0x
7C84
0x
7C88
0x
7C8C
0x
7C90
0x
7C94
0x
7C98
0x
7C9C
0x
7CA0
0x
7CA4
0x
7CA8
0x
7CAC
0x
7CB0
0x
7CB4
0x
7CB8
0x
7CBC
0x
7CC0
0x
7CC4
0x
7CC8
0x
7CCC
0x
7CD0
0x
7CD4
0x
7CD8
0x
7CDC
0x
7CE0
0x
7CE4
0x
7CE8
0x
7CEC
0x
7CF0
0x
7CF4
0x
7CF8
0x
7CFC
0x
7D00
0x
7D04
0x
7D08
0x
7D0C
0x
7D10
0x
7D14
0x
7D18
0x
7D1C
0x
7D20
0x
7D24
0x
7D28
0x
7D2C
0x
7D30
0x
7D34
0x
7D38
0x
7D3C
0x
7D40
0x
7D44
0x
7D48
0x
7D4C
0x
7D50
0x
7D54
0x
7D58
0x
7D5C
0x
7D60
0x
7D64
0x
7D68
0x
7D6C
0x
7D70
0x
7D74
0x
7D78
0x
7D7C
0x
7D80
0x
7D84
0x
7D88
0x
7D8C
0x
7D90
0x
7D94
0x
7D98
0x
7D9C
0x
7DA0
0x
7DA4
0x
7DA8
0x
7DAC
0x
7DB0
0x
7DB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000000f951d0000 | 0xf951d0000 | 0xf951effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000f951d0000 | 0xf951d0000 | 0xf951dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000f951e0000 | 0xf951e0000 | 0xf951e6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000f951f0000 | 0xf951f0000 | 0xf95203fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000f95210000 | 0xf95210000 | 0xf9530ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000f95310000 | 0xf95310000 | 0xf95313fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000f95320000 | 0xf95320000 | 0xf95320fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000f95330000 | 0xf95330000 | 0xf95331fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xf95340000 | 0xf953fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000f95400000 | 0xf95400000 | 0xf954fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f95500000 | 0xf95500000 | 0xf95506fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f95510000 | 0xf95510000 | 0xf95510fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f95520000 | 0xf95520000 | 0xf95520fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f95530000 | 0xf95530000 | 0xf9562ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f95630000 | 0xf95630000 | 0xf9563ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f95630000 | 0xf95630000 | 0xf95645fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000f95630000 | 0xf95630000 | 0xf95637fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000f95630000 | 0xf95630000 | 0xf95642fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000f95630000 | 0xf95630000 | 0xf95631fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000f95630000 | 0xf95630000 | 0xf95632fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000f95640000 | 0xf95640000 | 0xf95647fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000f95640000 | 0xf95640000 | 0xf95640fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000f95650000 | 0xf95650000 | 0xf95657fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000f95650000 | 0xf95650000 | 0xf95662fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000f95650000 | 0xf95650000 | 0xf95650fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000f95650000 | 0xf95650000 | 0xf95652fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000f95650000 | 0xf95650000 | 0xf95652fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000f95660000 | 0xf95660000 | 0xf95660fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0xf95670000 | 0xf95673fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db | 0xf95680000 | 0xf956c2fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xf956d0000 | 0xf956d3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000f956e0000 | 0xf956e0000 | 0xf956effff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0xf956f0000 | 0xf956f3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000f95700000 | 0xf95700000 | 0xf9570ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000f95710000 | 0xf95710000 | 0xf95897fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000f958a0000 | 0xf958a0000 | 0xf95a20fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000f95a30000 | 0xf95a30000 | 0xf96e2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000f96e30000 | 0xf96e30000 | 0xf96f2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000f96f30000 | 0xf96f30000 | 0xf9772ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xf96f30000 | 0xf97266fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000f97270000 | 0xf97270000 | 0xf9736ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f97270000 | 0xf97270000 | 0xf97285fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000f97270000 | 0xf97270000 | 0xf97285fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000f97290000 | 0xf97290000 | 0xf972a5fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000f97370000 | 0xf97370000 | 0xf9746ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f97470000 | 0xf97470000 | 0xf9756ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f97570000 | 0xf97570000 | 0xf9766ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f97670000 | 0xf97670000 | 0xf9776ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000f97730000 | 0xf97730000 | 0xf97f2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0xf97770000 | 0xf977fafff | Memory Mapped File | r |
|
|
|
- |
| propsys.dll.mui | 0xf97800000 | 0xf97810fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0xf97820000 | 0xf97832fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000f97840000 | 0xf97840000 | 0xf97840fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000f97850000 | 0xf97850000 | 0xf9794ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f97950000 | 0xf97950000 | 0xf97a4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000f97950000 | 0xf97950000 | 0xf9814ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000f97950000 | 0xf97950000 | 0xf97963fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000f97950000 | 0xf97950000 | 0xf97966fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000f97970000 | 0xf97970000 | 0xf9816ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000f97a50000 | 0xf97a50000 | 0xf97b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f97a50000 | 0xf97a50000 | 0xf97b44fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f97b50000 | 0xf97b50000 | 0xf97c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f97c50000 | 0xf97c50000 | 0xf97d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f97c50000 | 0xf97c50000 | 0xf97d44fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f97d50000 | 0xf97d50000 | 0xf97e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f97e50000 | 0xf97e50000 | 0xf97f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f97f50000 | 0xf97f50000 | 0xf9804ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f98050000 | 0xf98050000 | 0xf9814ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f98050000 | 0xf98050000 | 0xf98144fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000f98150000 | 0xf98150000 | 0xf9894ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000f98150000 | 0xf98150000 | 0xf9824ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000f98170000 | 0xf98170000 | 0xf9896ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000f98250000 | 0xf98250000 | 0xf9834ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f98350000 | 0xf98350000 | 0xf9844ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f98450000 | 0xf98450000 | 0xf9854ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f98550000 | 0xf98550000 | 0xf9864ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f98650000 | 0xf98650000 | 0xf9874ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f98750000 | 0xf98750000 | 0xf9884ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000f98850000 | 0xf98850000 | 0xf9894ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000f98970000 | 0xf98970000 | 0xf98986fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00007ff74f58a000 | 0x7ff74f58a000 | 0x7ff74f58bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f58c000 | 0x7ff74f58c000 | 0x7ff74f58dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f58e000 | 0x7ff74f58e000 | 0x7ff74f58ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f590000 | 0x7ff74f590000 | 0x7ff74f591fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f592000 | 0x7ff74f592000 | 0x7ff74f593fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f594000 | 0x7ff74f594000 | 0x7ff74f595fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f596000 | 0x7ff74f596000 | 0x7ff74f597fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f598000 | 0x7ff74f598000 | 0x7ff74f599fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f59a000 | 0x7ff74f59a000 | 0x7ff74f59bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f59c000 | 0x7ff74f59c000 | 0x7ff74f59dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f59e000 | 0x7ff74f59e000 | 0x7ff74f59ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f5a0000 | 0x7ff74f5a0000 | 0x7ff74f5a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f5a2000 | 0x7ff74f5a2000 | 0x7ff74f5a3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f5a4000 | 0x7ff74f5a4000 | 0x7ff74f5a5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f5a6000 | 0x7ff74f5a6000 | 0x7ff74f5a7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f5a8000 | 0x7ff74f5a8000 | 0x7ff74f5a9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f5aa000 | 0x7ff74f5aa000 | 0x7ff74f5abfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f5ac000 | 0x7ff74f5ac000 | 0x7ff74f5adfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f5ae000 | 0x7ff74f5ae000 | 0x7ff74f5affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff74f5b0000 | 0x7ff74f5b0000 | 0x7ff74f6affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff74f6b0000 | 0x7ff74f6b0000 | 0x7ff74f6d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff74f6d3000 | 0x7ff74f6d3000 | 0x7ff74f6d4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f6d5000 | 0x7ff74f6d5000 | 0x7ff74f6d6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f6d7000 | 0x7ff74f6d7000 | 0x7ff74f6d8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f6d9000 | 0x7ff74f6d9000 | 0x7ff74f6dafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f6db000 | 0x7ff74f6db000 | 0x7ff74f6dcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f6dd000 | 0x7ff74f6dd000 | 0x7ff74f6defff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff74f6df000 | 0x7ff74f6df000 | 0x7ff74f6dffff | Private Memory | rw |
|
|
|
- |
| zotci.exe | 0x7ff7503c0000 | 0x7ff750756fff | Memory Mapped File | rwx |
|
|
|
|
| actxprxy.dll | 0x7ffc48ff0000 | 0x7ffc49459fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x7ffc4b540000 | 0x7ffc4b6d6fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ffc4ddd0000 | 0x7ffc4e145fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ffc52cd0000 | 0x7ffc52d47fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc53810000 | 0x7ffc5382bfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 384 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Immersive Control Panel.lnk.RYK | 2.56 KB |
MD5:
5a8dbf0cccdfb9cfba41ef35924eee57
SHA1: 884ab42b21353ed4de9e042e7de93c13456310a5 SHA256: 89948352961d83eb56f547b57c1005474f46d29f8e883426e922881884daed5f SSDeep: 48:iQUKMNPH+iOpxi8C2A88Hnq1EWBSgNNH7aLeuTIO4uS+qYegnc+wKzXD:VpYpmvCT8WUEwN0e1r+qYZz |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini.RYK | 0.72 KB |
MD5:
310bce0096c8db67dce6ee89f5ec7777
SHA1: 910242fbda5faf497dc91803ca13d4599f50a82f SHA256: 441e5c75b5e30c676a4372183433593877ecd76b77b081031df6592823db8720 SSDeep: 12:RpqiU+GwlmXtYW65MoPtCQDgnA7EyzNgPxv/CSaR1y8qiueMCkIy8W:/qiAXtjolCWyFIRo7iueED8W |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.006.etl.RYK | 16.28 KB |
MD5:
5d4e7f97c3f2ece11955f4a007926ecc
SHA1: 0fc61dbaf90ddc65fa0886425a0061e534b093a6 SHA256: d491146bfa79ebb60930aabf8d52bf53b50ceff894ccbfa769f58c54923e956f SSDeep: 384:RS6X/A5XJK7Mhd5RIPH3X02jKUQTClDQHBiBDd+zZEYLecsuL:Y5XJK7e5RIPXX0pClYBiv6EYLeG |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.019.etl.RYK | 4.28 KB |
MD5:
9b74e943e151edee8676e2b9a1fb6eaf
SHA1: 27437eb933192cdc6eea4a05e9d6c5f75032a46e SHA256: 88b58da76dc07b07ac9c11e479353d569ca46fc59ba71592a2caf0942fde9f97 SSDeep: 96:Zc2Oh1m8rKTwbpu6z4DqE4Q4wSHuk6LNElr5/OIYJCYLGA:ZLOtrKTwbIqSqEgF56R6rMJCcGA |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\288.RYK | 0.41 KB |
MD5:
ff9a310b8bfc40bc3c994b5bf3d4b524
SHA1: 877b20b97310c482f8f2e3235c7ff28ea9619a9d SHA256: 56662159639641b3708f2589d22eb2a9f5964573dcb5038082e3c291a9cff978 SSDeep: 6:5laMXVZ8/qsujvYSsETNy3595DYzYj9Wi6/i7scf+nAosHjHlF1i09MlBDIop4H:KKvJlTNu5vYzO99TfoAjF0vTDIopS |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini.RYK | 0.64 KB |
MD5:
8c0e38b7694b1c186aac76f0c053af63
SHA1: 2e2b547d74fe1cacb6fe9174f3ef973a4b9acdf1 SHA256: e04319c67519ccb22bdaf674eaaa59ec31d3caed16ae06a00d537bd922a62683 SSDeep: 12:TpopMgqTaBsaEVGeG9vPXQ1jXYabeAOgRkiU5/SaDFWQKtvw74si+pX5+y2lF5d3:TOWdatEVm9Q1caOgRJUhFZ4aBwy2lF55 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Math Input Panel.lnk.RYK | 1.42 KB |
MD5:
9a7d34692fe58732a1bc548ec0bad640
SHA1: c58b2d849e66b35ef96c66c486332cb7b776f600 SHA256: eb00e0f0badaca0d8a2073ac67581bd4a3d7e3c21d7093978b0619c8d68b293d SSDeep: 24:ILiUpsxcdji4TCOwatd/r1k0NgK+yjysIZjrobIVdM4PPJy3MyilckeDFRY3:ILiUpscdjfttFr0ymjrobWPkMyXDDF0 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\1\0000000000000000.idx.RYK | 0.36 KB |
MD5:
3e9e1897b4f8995a416526e97650be10
SHA1: 062ae347cd56691e3373efa06ed539ad5e5351e8 SHA256: 2a4e7d5cfae92db412153d87389be20a456538f4ffb1ade556574be1c56cb5b1 SSDeep: 6:3WXXQvKgnTDEtBZsdSy3knwGg5en+TTUXMeUeiFgqImCd2ujrt+qCrzzjeCE1PRq:Gn7IAdwGg5c78eUe6D1uCnmCb |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Acrobat Reader DC.lnk.RYK | 2.67 KB |
MD5:
04984e83317ff1a0f952a6191df95c73
SHA1: 7a4d2e5e3c6618519b206ea6ec1eec9d7f380e9f SHA256: feafb55bd96cbefe1553b77d24b52f0b3a55a3d6ad756f9a92d9384cb4921668 SSDeep: 48:VLzl2c0bNZ/dgT8dySBcaIDfBl69fDy0OX1xCfYJZ6j46A7CGfQXJADaTvZ7pl:VLzlB0f/dc8dygI9kJRi6jLAGWCQaTd |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Wordpad.lnk.RYK | 1.41 KB |
MD5:
77244fabdab452432b0c778287c15c51
SHA1: 2652a839aea263b790931bd1ed26e9d1d097a727 SHA256: e9c626502bf607bbaf3b1d486a7a9caab72a65bdf751b8359ff49c5aa80bbf02 SSDeep: 24:FcWxcHSbIkns1tgsRzkZZEaRdaQtEPsTh5dBBUSh6MS2+v2ueZF3Aj3VFQ3O6IBG:qGIbt1Rz0LdaQPT3fBUADS2+uue/AjVI |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk.RYK | 1.60 KB |
MD5:
752fadca80c4b5034c3297bfbe480b82
SHA1: 5072e927f1f5cfa9a7b2dd21c516e4ee35e08d01 SHA256: d570c1ed7183392abbfcbedfce9a0c47ed0c2f23f7f33ad23a9ccd367aff9d31 SSDeep: 24:VCMtD+Gh/9fM9P2H7Nt116+Vl9eAko6fJLLfnPlPvrBbY8aiQhrUkfbMj:Vt+4M9ej119VuRJfNPlPvrhY7hrUGK |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook 2016.lnk.RYK | 2.63 KB |
MD5:
6dbb87d962637a43a1018d5ea22582d3
SHA1: 581d3ea976b7dc785d49c8d02aeb7621f924889b SHA256: 0eb4d2b8dc482e5d84e1bffb57da396bacbc2225121ed69f7944c8fe34b706e5 SSDeep: 48:inVE1e6zkEW3hmqk0Rv4A+XKuaaxIlzEoR260EL+xA59LfKbnSwTFu6r+Cx1:yVt6fWRl4jXTZxIOoR260EuI1SGwTFZ5 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Desktop.lnk.RYK | 1.11 KB |
MD5:
72b12150b9e8e6d3f68ec10a822a76a5
SHA1: c92a511850977135aaf6c6e8b1439b3499337098 SHA256: 0839040ee541ea5133d46a629a6cfac2f76b30e6ccbb9a0f63be7ff3237fd855 SSDeep: 24:4Okf0kNSHGzIK/BE8Lle8bKAGHjGL2Kf76a1yUWKPU2uByfOM6rbQpoS:49TdXnTL2Kf76+tuByJ6gGS |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.003.etl.RYK | 16.28 KB |
MD5:
a280d8682c9d8a63897738a7459d9da0
SHA1: 4f1c33ca2ae59c0a06ae549ade411ccfc420c97a SHA256: ef79000f628c0ae436ee676ee510b4acbcf1f3feb2816482c460bb767c353a31 SSDeep: 384:ohkFTkJcGugA5FX/ZAlI1amE5B0JArN0/140BSpp2+S:gigA7ZAXaJACd6p2+S |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.018.etl.RYK | 16.28 KB |
MD5:
49d4aed20bdad3e1028d5f6e047a1056
SHA1: f730330066343b5af33cf1cfa45978e542d695ba SHA256: 87ee8970b8462eefbad63a6b63cb4f8c89fe79f611ff5b3699545a7ab1c94d19 SSDeep: 384:mneKtbCcgTG7Zxxb/4j3ldXGPiAjR92eD9jw7BHBPd1:mvtGcgTGNjbQsi4F6d1 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.015.etl.RYK | 16.28 KB |
MD5:
8e354e9989db795649f74f1040522d04
SHA1: d81dc841f5ba47bdf3e968aa307ff89625479616 SHA256: f66d6b90fdcd86186aa9431e0915f963f01c5488f59808b2ca4b78c21f7e8c7f SSDeep: 384:ESkSc0ixfArEhmthYuHbgEOImGHq+7HI25/5kCiHpXVlHIv:XVc08Ey2YuHbgE5vh7yCypXVlHw |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\191.RYK | 0.41 KB |
MD5:
2626fd1be39722c62f29157edb9a19a6
SHA1: ff01374de5f1ce41962443c61e538dbe10e73773 SHA256: fa6f044f4c6e6fc6133693ecffa77c472d13a411f7ce7224ed4527427d4bc571 SSDeep: 12:ItIBKeZl6bumGA/KzRaJHoon9zTiLU1XUIt6:hYeZl6bV/wRaL9zTiL+XUIY |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Paint.lnk.RYK | 1.36 KB |
MD5:
99ffdf7d8f38dc8ad9d8b39477071bba
SHA1: d7f88b0b934be2b2dc66a48faefeb99bc52fcfc2 SHA256: 598dc49d018530561347fb87b456b7cbdcacd66c01c37251d17e16986ca1c623 SSDeep: 24:wJbKOyWR2jgVGEuL1TqZB+4Tz7QYZrb38E2qA0qIfmgHphfWUbieVZ3+vCv:wp1duBuZk43jZP1JHphfWU+0Z3j |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Pending.GRL.RYK | 14.89 KB |
MD5:
9f4d5cda1dcf4791919c1b081fc4e68c
SHA1: 286d788f69aba17a11ae9009bd1e60196c01ac9b SHA256: 858d55d383c8f3112fa54f77255a777440d50aabca4471638077ab65cbcdbf06 SSDeep: 192:Rbl0i3wdYlwmQ9Tyv4pc4ODYYvNLxQ36AfT4U6MvKnXDzjz7mUjxs/5CnlTl5N2b:RSi3wdswDE4po9u6wZFinXnjzXH2/QW |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-40.png.RYK | 0.71 KB |
MD5:
b00ec100de27322f824250102f19ac63
SHA1: a7c91356f45440b332bfbc74a8bcc761a8cbe434 SHA256: 8f5a127cf495511bcd1936f426704ce1a8a64a38dd914e907616f7e9742e14d7 SSDeep: 12:wM+2L0WgDS2BuCPwD4Z/nnvzxcE+aQCGs68twkfdtDlcAdiG288I6wTF9I2IsX3A:wM+YguJynntpbGKSQciiTkPFWs4b |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Project 2016.lnk.RYK | 2.69 KB |
MD5:
8e6ef7c7bb987eb4eb3c56526da48406
SHA1: 40693d36241cc03755f4c94d5739383f1ff95d2c SHA256: 642b93b5009f88c22edc925e94bb5189118a5974a6d4c95f80669f6bc100892d SSDeep: 48:BPttb8KzS9JMjggty607Gq/J5B+rgikzUFKglTe+AlJsm:+KEdgtlmPJPkn/Kqml2m |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\3\0000000000000000.idx.RYK | 0.36 KB |
MD5:
1ed18e9f8bc73d62cff87e08c995d1fd
SHA1: 9009aff9b1f3d73fa62dec7e65c272296c66a37e SHA256: c6a0ffd8869fef9285ab74c50d41167ed2236dd23a598d8815ef96841b7da862 SSDeep: 6:exE7WKutA99DWpBu8uiTSK6RoX2v8RuZC5tP7qyo6kNUgm4LXFkTtRBFaGhnhVM:nZutA99ys8uiT16RajRgCbPuynkNUf49 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\193.RYK | 0.41 KB |
MD5:
7b76b6d74bf8004f43036789597f5c44
SHA1: c9d9d792a550a32ef135efefbf586b5aa8d4d892 SHA256: 310053a94885a92b95610934e97a52b3d533e5326c602a10fe94b54dcb5a34c3 SSDeep: 6:UE1oHit0AJ0BGU0HjRa0+8412JZWBCjsDaGyAqPKkk7T4Ey06seR7n:UtHGXjc0W12TWBCjoaGZWkEsan |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.020.etl.RYK | 8.28 KB |
MD5:
be9665e4d942e2f71ee29b5d6129b66e
SHA1: f18120e0989309a44f098d8927f633ba4250b77c SHA256: 09c2ee369fa7ba313d1b2fe0a5d841cdd423b90afece23b411a46fa4241ed786 SSDeep: 192:xgGMWjiMiD5hbBvi7ey83cqdWa9OfEVZc8QGu1azt0abxFfNm4/ULl:x2WjLZ7eyBna9aEVZc8Hu100aj/ULl |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\328.RYK | 0.41 KB |
MD5:
897f61d6e8b523178e80232a582b6fe6
SHA1: eb8e1c28af3cbee7e8f5c14d206f2d647e00ab9e SHA256: 08c7b9b569c25bd8ab57bf1a9daa7433ea89b735c10ff60377e3c2b54602e073 SSDeep: 6:naOcTFQslQQ5WW8U264WzV01PtBgWwGBIIunK8tKENij3+MM/rRRH8ea/89wf:aOQ6slmW92PtWVIunK4mN4eEE |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Visit Java.com.url.RYK | 0.46 KB |
MD5:
43f5265250440d298f772d227a6cbbca
SHA1: 6f4905c1cfc9bff87c0b58e4b223ce9668dbdc3f SHA256: 1f6677f165ed45d3d52bde62b1c27a78c15b8c84221e9ba02c83cff39bc5be5d SSDeep: 12:rQAeLNI+GvuWapp8uSuurXcd0GDFV2GGfTtYwH4:rbaK+XFS9lGJ3ETv4 |
|
|
| C:\RyukReadMe.txt | 1.28 KB |
MD5:
fa0637a3857a2f258f40883e1cac3074
SHA1: 0980755aac03e8f24f3a040384fc61f43232f56a SHA256: 45d75b8692d29f35b6c36a00477285c5243251e33af5858c538fb80f1b68cbdb SSDeep: 24:iVeUE1sLlHgPsoWIeTt2Ww4OFGdqvWDbbOyxGSConbildyspzRC9XYcsHrDjn:xUE1sLBTwx1Ovblglobsdxu4rDj |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Search.lnk.RYK | 1.83 KB |
MD5:
5a0bc7f25bba1d8b3e1efbc2bcdc0b30
SHA1: f27382371836fe9d7e34a2b63188cd084396979d SHA256: 942f2a8e4632dd3ec53938288a33d8bad5b874711a72f7fb01ca42c28b3fa2a0 SSDeep: 48:192UIhLUhSKu8a8IRQGmVJzm4ZtZO5sr1ZZ7dq+Y+84pliL:19jQLbz58IRQjzziCTZ5qHwDiL |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.007.etl.RYK | 16.28 KB |
MD5:
80af55303cca9f656d6b5ef31992221a
SHA1: 7ad3d884e32f50557bf5cf0c8470180802c77643 SHA256: f252ad4ec96e530f53745bf30dc0933d944742fd512341f5de79df483bda905c SSDeep: 384:ec5Hh4ByZgrIHKWvJlQIzUrn9bmh8iDOhfSH0+tMrk0:ec5HhuyG8HPfQACbv6Oha0z |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\266.RYK | 0.41 KB |
MD5:
8c1354ca9cacb50b80a8c315ce4de581
SHA1: 9dd8a4caf5cd8ae7ec1e9a4dcc7a1989e6a1c0ea SHA256: 75f5f8b392316f9c40200a4702922f62ace55d607feb72a7c5e6cc80917b11e5 SSDeep: 12:AUcA9ib/tfP2ZDYCxqQRa9OF4EZXTIqev2Yfw:AUcA9ib1fJCxq43DHV |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\09\287.RYK | 0.41 KB |
MD5:
4b26b66aed2b286e7e2ea4cd5f499fdb
SHA1: b47b8bfb514c172a17cefd07ed65f9d823683986 SHA256: 60e700b0734398c2146f951bd1b745f6506de51d6f1fb8270b0123ab5a76c5b2 SSDeep: 12:77eGVw574RJR2pWqB9xOWgGjRfQtNanqiE5R:/eGVw94R72plB90RaQ7TL |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\installcache_x64\baseimagefam8.RYK | 10.00 MB |
MD5:
029143b6383fe86a454616f35803ac5c
SHA1: b62e762d0972d7226e5f8936b7091aaf4b5970a4 SHA256: 52d4516f56e44a01f59e4952992ac95a422a86fe445133eefbb4e8a68a24a43d SSDeep: 196608:DShB9tJnyut0n46J7RgPGb/QfjIC3Qa1oc0kFgbQczUul9NA1B6Vdk6:gbJyM046JF1/QfXAaskFgbQyDlcb6 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini.RYK | 1.72 KB |
MD5:
b3c185fafa76cbd0bfd7c7a0c3b11aec
SHA1: bd2749f7e93dc97b670557d98090ecbb78c82720 SHA256: ab6894bcd74a8ffdc0cb1aa688af76ca4e30755e92018a83e23e59c6e669b986 SSDeep: 48:9MuF3+TyfT3ThZ2BWAdkjv3Of5hNjNfdd41oh:9MauTuT3WV+LWbda1a |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\198.RYK | 0.41 KB |
MD5:
720f139bcd011373468332faf75c82e8
SHA1: 5f8dca5e8297959ff998c4334b5c5016c8f50028 SHA256: e19a0d270bd1275c99384bc6cf5a4cc0e5267f3ca61937917a10c95d1202d965 SSDeep: 12:zcXexNtagriJ2Ry7qVV2g03AQ98wB41czweZxM:z1tagW0RyC23F8e4AxM |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url.RYK | 0.46 KB |
MD5:
f4583c59788e702a2ac5caec0c338fb8
SHA1: 131ea416e79ef2cf7123b496187ec4276a2b56a1 SHA256: 6741a5ca2ae4de5615280bf84f94fc659c134cc1eb12929af718a04eb2dba4be SSDeep: 12:dZ90vv8yxWLuvntQJS1csGcPahS/fG/4bd:dj0vv8XyvK/JcF/f9bd |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\2\61\EFAE1E6619D4EE51.dat.RYK | 0.50 KB |
MD5:
c0194a4b0363f78af2c8c8bde28e39af
SHA1: 5d514ec45ad0508ecd41d2690e30b636645e5692 SHA256: d2135651b1f7cb3c7e8c0110b5959f1331feb2d1cf1dfa754560c5773dda0a30 SSDeep: 12:PRnn3XPTyoobCV7o38vsESFtvJyURcJ+EvgH0Fjn4X6zR/+zMYre8ZVRE+3:Z3XPTyoMCVEE+vJe0rUJ4qzFwMGlE+3 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Sticky Notes.lnk.RYK | 1.44 KB |
MD5:
c9778d74f791cbc19a54cf6d214b5dba
SHA1: 8eb1e7c8b7abdd680f06e1db9bca7a78380953c5 SHA256: 01ca596829e509b18eb55398f4930161c942d2d027365182773a5132a098c568 SSDeep: 24:i89IOBpIksX0vDgu9k4/2WMkvzQb9dQ3RlhydhnjZKduQBHviKJ2zhwlK4PjMxOk:IA+F0rZ/Vs9dAOJjYpzjMxsq |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.001.etl.RYK | 16.28 KB |
MD5:
496c84cab32cc02a92069cae1f3c9e93
SHA1: 4bdcb563d43d3c5e7131b7bbd935096649729ba3 SHA256: bbd20b0fc3c98b525ab6d8edb4f7c6c5f26da9ccb079de603cd9d33ff37a8e1f SSDeep: 384:h0bAMRrtbyTeNiyYHDB6MtNLNyEWJY8iHNkR8oz:h08CbYMyQjY8iHNk8oz |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher 2016.lnk.RYK | 2.63 KB |
MD5:
2a9d6adbc8463ebfbc41e9213f043815
SHA1: 9df6e5943255e3dbf3eed84f919ed06bd88ea837 SHA256: 446ffb2b447c8311050dbee91b667dff64a4c2b81a203347f7406d6ffa3c6d56 SSDeep: 48:gS5JPduUaTPHBNNAnpNQRFo6cpi0MPKdeCLOqs9MmSwQvmtDVmFdjgY2ngJBPQz6:gS5pxcBAnjAtcZMCdxGSeQvWZmT0YwgN |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\260.RYK | 0.41 KB |
MD5:
bfe4bc8c896ab61ab8c6b5da8cef99b2
SHA1: 755aa0f20e3280002c5385f2266c95a0e603d141 SHA256: dabe533442dc4297e71711e2331054bd3c53699fb428ff1babd184a01f17ee09 SSDeep: 6:8weXdZoR6GIWqwKhx+Ppr+QuipHtvGjgPjVF9QXv9hj2RPL02rDZX5IF2wIcYVzV:8wqZoRXWIprhHPjVOFMbrD0YLcYVzZ3v |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\300.RYK | 0.41 KB |
MD5:
71462bc52883dc628df5167475377d52
SHA1: ea30e99c4078f3a01a5870f6e781f5243bad6b65 SHA256: 2b8dbfab648bb70dc67a55554aee118fdf740dd9389bd5299a7f4da9107bfa1f SSDeep: 6:COhTLUH62W37pHFUgA5m2FIDP0vD5Moh2olotyUp1iE6GxjwPtm1E9sGpkFQPOog:/J2W965IL0b5MoLqtyM1iE6Gxja/Chn |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word 2016.lnk.RYK | 2.67 KB |
MD5:
c94cc87e57428265dfa381dd00131182
SHA1: 4b663df1d21fb437d3a0e76b284079521d645818 SHA256: d1f325dc199be308a0c7f9c4fc1aaffb1ed76a58af2f58ca28446b76a94a25b5 SSDeep: 48:K1JxrOFI3f5R3IDUdkt6eC0oLQGRtOKI2veVc5D:eJxyFI3MUdk1KQkXNem |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.014.etl.RYK | 16.28 KB |
MD5:
09196d3ae7f71c556a36165e6e59cfc9
SHA1: 62b017fc4f4282db3fbcf24cba8ab8adc11fbeeb SHA256: ba03807813bb3c3e12fc7a394a50d57016bbf5e76a1bb14f60848d35d45265cc SSDeep: 384:zFnEpnWUNKjM4Yqhy7w93Q9hi39lAlSGYhvhkBIOBATLV/Epcv+:+IDLY2y7w93UW4YGYh62OBATL+8+ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\12\194.RYK | 0.41 KB |
MD5:
cf9ed7e0bacd06f2f67830becba4ae44
SHA1: 345f16513df7a04238f1797766a10bd12116e45a SHA256: 1bde1524f167dae98c8fd57c0a3386cb144db1fbf440a05a62860f980d86cbe3 SSDeep: 6:Cn8Rwm1TmxfDI+5Jhnx6D3PCQ/bww3nfNDSMwXcZ0xWQZOWkFocgrIZ5i53jgv:XyQmx7Pvx6D36QlPLZBYOWggc56q |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access.lnk.RYK | 2.64 KB |
MD5:
148978d073daf85a313c718ff7301615
SHA1: d2712091e0f82733684b2902a6f882d3f5018b9a SHA256: 1ba3f6a1b6cdbb4838ff32dfcc578ed6370041e27318ef1aa103206e47bd6993 SSDeep: 48:KvQ1tMBmhZJTvXEj3/9GJij4KP3KjblOIB0ZITBmcfBfIwIZT10k7sbwymw:K7Bmhvs3/3j+b4UBTvBAwGLsbwyJ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Visio 2016.lnk.RYK | 2.67 KB |
MD5:
1f3845de82214f16013c0260afd3c4c5
SHA1: 708220ed1b728c475ebf6a4d19c977494a9d50b4 SHA256: f07e5c76f281a4030019978359f9f55c369430b1eb7c7570c6d95907ae1f98da SSDeep: 48:VL6kh8urietAFhYdQuJ/gqxiIOaoyKIKxE0CswNs5jIlZskSGhKLwMM7QkwRXjq:VcueYAFhiQVMzK3xJCsr5jCZXKLw1wM |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\09\238.RYK | 0.41 KB |
MD5:
53e6a6d20c84315c083fdd763995b9b3
SHA1: 372e1ddcb509f764c4ae96e07b0c8df6344e17d9 SHA256: 6e5a9efc5083970a082b49cdacd9992a9a53cb151ae417960e9d7d9da1e42da2 SSDeep: 6:6sr6o1aQnTk5ozdJ55lItI9+B+Tlv1btewppbEUA1AroudTOgLf8VLTja+NIUomD:6sL1BhPr9JTBvppgU/9L0VekcCRn |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-48.png.RYK | 0.77 KB |
MD5:
54e270db7949406a75b693449878fa06
SHA1: 8e5ae13bf38b49639d82194db1499a502fd0ac60 SHA256: ff4b158d8c9270d47ef1b3ffb2cdade1e2dad8da66861f54486a045053365bbf SSDeep: 12:3MC5ZoWQA3AMGhErCzra0GW5EAws2qn837WC/LmMK6nl+gWQpPpQY+XGE:xZqWAThEOPa0GDVsbkfZKPgWQ1pQYQF |
|
|
| c:\programdata\microsoft\crypto\rsa\machinekeys\08e575673cce10c72090304839888e02_427a1946-e0ff-4097-8c9e-ca2c1e22780b | 0.05 KB |
MD5:
93a5aadeec082ffc1bca5aa27af70f52
SHA1: 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 SHA256: a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 SSDeep: 3:/lE7L6N:+L6N |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.004.etl.RYK | 16.28 KB |
MD5:
c8d8c83257035fe5f15e0c393b6eac80
SHA1: 96a5f3a4d047621cfb1a0f5c19957815a4368684 SHA256: 7d6eb451c3fdf4f6f8b88a8083d4dcc95e6227b7fa7dbcb1d99468fb37d32384 SSDeep: 384:amu3tBjKS2br1uNTsvZ/AMD3Y/4hF3VIg4U+uDBonq+dcfan6R:amudBjKuNTsKMD3o6+gRBQQan6R |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini.RYK | 2.81 KB |
MD5:
52999f9c6fb9f1639bb1296510ed23aa
SHA1: 11884d0fec6825e6695b8da04dcbd156692f7012 SHA256: 2dc715398fc8a2c7df0beab3304684561fe6da3e47f90edcdfd395a5f64e4763 SSDeep: 48:pnUsCx48Ut6vvEXOpd3Sfl9FIxK+u7v1cE0qA6QsawCfqPVX3:pUsG456UXOp4fl9W/g1cUQLfqP5 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel 2016.lnk.RYK | 2.64 KB |
MD5:
fb4decf2376a7a8a56a3da684c561aa1
SHA1: aabde8d354e2a3ad2b46a09021c387aa8399f761 SHA256: 1fab73615175e61327f7bd19b3cba626775ac430866725a6168759d41dfdef90 SSDeep: 48:q5nX2KcEMJvXEtFUDE8DotC05g8z2ikabe9Ywbu/gR3ketTTae:q5X2KcEMJcFUDEc+/gA2ikabY1DUetv |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\10\286.RYK | 0.41 KB |
MD5:
bb1318d2f51f892ea4aa188777e1eb68
SHA1: 7fcea5702b735041bec84ab7bcd694ac6a8eff67 SHA256: 51a00a094a3c6541b6480f6e422c81303f7ee826a81ffdccac5235fa890fe290 SSDeep: 6:4tRRs5m11r3INFs6S3j8qmjRCqoWAKde57mZbT8IJmNZu43HenJlNfGOk58Azp7A:IsbN9Sz8q5Ow39GlMn70WCIebEo |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Steps Recorder.lnk.RYK | 1.35 KB |
MD5:
f2220d3b177e5df924a3a070bc1d887c
SHA1: e786ea7634166bc97189df63a9af38fa50653d16 SHA256: 6ecb1cc79301862a1a4a9ac3cae70f5c470e295ce5fd907171a3a8c1850ea057 SSDeep: 24:P1Qto976XFr1f1ww5ct2ZqPMcTj0N1kL6cMpajsqqyY93NZgp2jfc:Py44z2tt2qB/L6cIajsqNY933tTc |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.011.etl.RYK | 16.28 KB |
MD5:
92a9cfc3ebe6262674aafe5635ef361e
SHA1: 19a98da4d99a734911c90809f2e8cac7373c8b9e SHA256: 6bde61f0ed11233e1dc0a40a8f8aa5c2e4ee1792c3cc79f2b712ad852c9c559d SSDeep: 384:ctsLMJAmSdl7sYIoR3Vv4GsSYRh2gy/ssCqza3:JOAmSf7Sq+bgj9Cl |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\04\261.RYK | 0.41 KB |
MD5:
b313413745d1cf377ee39da2b5914160
SHA1: 82a595a77342973dd95dd7a56b0aad84db6e37f2 SHA256: 113394ff8bf7c465d1af4b904e47c54a4cddf2ec4a30b4167a5bcc87f831a6ca SSDeep: 6:Lfg4VDpx7dfxK1uRH0y1YnAoEJT5gWqWtzyqq+BuZyikhvTyo5VIWNpmy02:Rh4OH0ymn6JyW2+BuZyHvhmy02 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\11\200.RYK | 0.41 KB |
MD5:
9dda03b038d3686e61c7d40d7ec4762a
SHA1: 453c32e916198faaaff56216a1c3fc0c19ecb5b8 SHA256: 1fdc14dbdd2a0c34bc8c0a3bbde1720d92c78226e3ce1fdb8a65195f93b97e41 SSDeep: 12:teezP5OTZXMsgQiA507xltP6M2VgobK5/hqw:MezB6ViAS735sxbKL |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\06\13710.RYK | 0.41 KB |
MD5:
fe04ddfe4b39b1f0dd5811adfa314c81
SHA1: ebf042ad98d21faea24f1766e0a96439a1ad87ee SHA256: 53e66ec08c94c3687839659edc64c92ee2cba62dcebad48e982685165ca2959c SSDeep: 12:vGLbycebZO8Tr4FL5AtjEUkXhOYy/XtIomrc:vGLEbLTrWL5AtjElOYy/Xu1c |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.017.etl.RYK | 16.28 KB |
MD5:
113973c1c3b2426fdc11bdfa1fd983ca
SHA1: dd42ba0a3265fd81c51b8480c46b6ae97e749ca2 SHA256: eb948d84c1bb3de04f0cc00fce46837246ce9e68ba284595e4a120d34a74f1dc SSDeep: 384:CjX6uJIPk6cZ9mReyeAr87JFvK+ASvTOahtYq97M9Vq8/v:CUSUleBJo+ALagA7qYG |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Check For Updates.lnk.RYK | 2.35 KB |
MD5:
2be63d3e8b90111158de45b4d2fde09d
SHA1: 5d01bade251126f7749526a81e7547101d39639d SHA256: be2a6aa83967a62e83740bcdf6e16bcdd18715c2146b948995d47e7b7c218acd SSDeep: 48:CVzxyaE6X1fit+v8xmRksHcMZmj/WGn36jX4fgoM7/kZS46eKvB70BJ7N:CVz4aESALxC3ZI4FMZS4YvB7aj |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedScenarios\Windows.Uif.static.RYK | 2.83 KB |
MD5:
492d95c58a73c1bab21bfee107762df4
SHA1: b81ccad64e0a1561fa326c4bac57792b71298eaf SHA256: c55c1a6eae189541c80c61ff9439a24d3974ffea66f7466612885a032d0a2b11 SSDeep: 48:07FLo9wUWl3BvzCK2w3MWxge9krlhdc0aSWHRYULUU5W2L1GXCC4E:t9wRlxvzD2lWx3ChaSIYULUh25GXGE |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\03\324.RYK | 0.41 KB |
MD5:
350a5cb5f71468efd09c4236024ba106
SHA1: 42776de1a4e02ec43682e6cbb13fe9e622eaa623 SHA256: d7cd79d324e4656642e877077e990fbda1119d07c8a96a8f4fe2589ca81e6144 SSDeep: 12:/Sa+JeFU9cPqiOBSr7JoPx3AhcAFfUqvLXua27j:/SzJf9yZO+7JOSSSUIDfyj |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\About Java.lnk.RYK | 2.33 KB |
MD5:
72cc412c36c756fe0385ca704ef99a9e
SHA1: 14bd5841328565fff0eff77b558b292cf1cdd9c7 SHA256: b5d14a2c4377215820e0ea71db18111903bf324123110957a30ab9a06073b9cc SSDeep: 48:BkKMsvVKe1KMS8Vl2PoVVbUyJ9rSyF1HWeQ3AnCyXIFxB/:BXjPSlPoVDLlF1fCyX2xZ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\services.lnk.RYK | 1.41 KB |
MD5:
d1d0252dff6f2daf498325c8ea1a9b9a
SHA1: b773956d1dc6d9a4401335e2c27e5192def734b2 SHA256: 8939044ac7b81e93dc8e11495970fa2320e24f80dbc4b36c0719a12e2ca9b4f8 SSDeep: 24:Njuho6QrwlR6HRxQ27FRl6MaJBPoHeYqj1d6fp+h/ZtTZDLwqIs2Eg:Nn6EwSH7HFRAjJBg+rj7954q6Eg |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.bmp.RYK | 784.33 KB |
MD5:
95f2c5da12900bed58473ed12fdc445d
SHA1: 0e397638e17901a4a85e9179d752ef564f3273ec SHA256: a6efb68654db862dd703d3292d53872e0abffedf576e932402774ec665f7d203 SSDeep: 24576:YLETE5vJJzvXjjdBIM3MSkJm446jpGrfY+Bl:0vJJzvzjf3R44wyBl |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107001.RYK | 0.41 KB |
MD5:
660769dd42a641946cadd10f756f617e
SHA1: 8e3c848f07217d3be8e7d5ebaa3ed2c87e11995f SHA256: ef0c58edc7302f739147b2bf963495e2a96bd490276c2303d0e12e21ed0f291c SSDeep: 6:ZtMv30QSeBGHWEv2kHkvtfvto58W0PtlVyQOpeJXHlM3c/spnA+BwbgsZytiav:Zav30QSupkHkv9+qFE+WFpA+BYFZycav |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint 2016.lnk.RYK | 2.67 KB |
MD5:
4d04d4d283cf8ee72161d904c6b52e1d
SHA1: 1fbbd5d2e17d796da8a88f8c4d0df11662c910dc SHA256: 48122524643d7a57acc76da2ff7a29e07d4bc84a3c95ddca95c3ab7b9a5aa978 SSDeep: 48:z44Qye8L7F3293JNwlRI+330UHScXddsnRoDO1QZhGY4QmeX36bhsMsw:z445ey7FekISTycXddsBQZ4Y4QBUhss |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.005.etl.RYK | 16.28 KB |
MD5:
bb9f5fb787cb68907b25dac51a58ec07
SHA1: 2df36d84b71d8778c65fb428837cf056a58f94bc SHA256: c15dd387060bab5496878fd500c90872e0f575c17362a6723f51b5683b0204b9 SSDeep: 384:CUk43vB09Y+rKQS8U+OZrZwGloyuwxjKQru1LbtGqOn+vm6bn/c:CUlp0CB8UpdZwMoUKQruBtJwOF/c |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Devices Flow.lnk.RYK | 2.42 KB |
MD5:
dbdc989ebc175288df25567e6574d141
SHA1: 35a3a154e640ee74323d1784d5a25c29bf522709 SHA256: 265cdb5b26ad8a6f366c102d8887992a80b103a199bf5e38948383942019a93f SSDeep: 48:hFra3ssHnWKoHVi5GJ1JNPUC6TCus6ibPMXVYSWi1vBiOCIc:zOrHnWq5Grz/UjdiAVYSgOfc |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business.lnk.RYK | 2.67 KB |
MD5:
1e5cd8013147a54bd3a517a6ef645641
SHA1: 0eecb08bb574fecf311e136728811f53f4696283 SHA256: 1a4a9fb770a2aac8158ab3b863c2618337be450cc389693a4bdbcb3820d3225f SSDeep: 48:ZD4T2uzMxJuEpPiVGWLWx+X216KeBS70ym9AEZBb+11ttIbQOzXr/kz:ZU6ukJu1Lu+X2167S7fm9lSnHIbQWr/q |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.021.etl.RYK | 8.28 KB |
MD5:
939f5e483b99f1d950c1af7d64c2ee61
SHA1: a5d960f7fcde6ef8e0691af983b0f8761a745e3f SHA256: a01540153f2895001dec437796a1e7086cf37af880dcfd10230773b15102bfdb SSDeep: 192:vcFy0rnut9b6rTC6IlABo9sa0zRC07KVpwPkp5IaS+djL+cSF9IoDU4:UFphMvsauGVm8p5IZaj6vF964 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini.RYK | 0.46 KB |
MD5:
74b1dd76b67464adcf5e839d8f9bac4e
SHA1: b1e0a3ab0e13d7504329ae90efa15569ee5347d9 SHA256: 7187ebe0df8e255d964921f0ec6f9703cfd1f25600b6dfa85cc6af5c3415eacf SSDeep: 12:c8jhkKx6ufyC169iv7twiTvL7shRzat91:rOq6e1gfi7L7uRAv |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.png.RYK | 5.55 KB |
MD5:
0b58e672201877415e53a45c0af4e5b5
SHA1: fe7c8e6ebd9eb2660cf0549a023cd63edb1d6972 SHA256: e9adec0efbeb47065822523337c031bc60e1a7c16b93ff609d11c777018afa6e SSDeep: 96:mQbqYYRVdSIJ6mnx3YK3/aI5KmDWRoIYZ+9zRzWoNP5W27HDAgffB1abUPA7AiP:mqqZVdHJDnx3l3/pi17PwccgfZ1abNB |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\MiracastView.lnk.RYK | 2.44 KB |
MD5:
648dee50c826b458787c577263837f74
SHA1: b16ed45419ab89023e4d852df40f8d27c529e924 SHA256: 05bdd6573f70f0ce18342d71473c0623ec27123d169ad34a1a9f72ad0f41429b SSDeep: 48:Z7KOOTaX/r/iL98CegLeFQNReuJBcAjyzHIVl/yieuv:QOO8/Em5AeFYReecjHCeuv |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini.RYK | 0.44 KB |
MD5:
fb505abe88344d21ffafa9303772837b
SHA1: c8d88ba934dced5a18a4d7eb3b569fd2ebd73d61 SHA256: afc3a5e3efd138967743381b0e6f6b6e235dd1c28c514aa8ec68fb09d3a05c7c SSDeep: 12:Pe6cta7tVtICTeknwgDYgyNbmkleuy06gGVxYn:PeLa77SHknwgkWz0jGVxY |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel.lnk.RYK | 2.64 KB |
MD5:
9de2b061032d3a1e9e3d18f22d7457b9
SHA1: e4590b393a962f5ea1f12b2df7589891fc6c945d SHA256: dbe74a24ea05cf2382d399ff4a1e40c6e922ccf320910aa2ac98c177dfd7efe7 SSDeep: 48:RbqrJ8yaRlDSSCFRQ/u04Bq/ce/l7KP3+zwlU4ArtMjNVxBEnGKUn/qgX7nYn6bQ:Rbqr+bItq5lGPOzwljfrBE6y+yD |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\13712.RYK | 0.41 KB |
MD5:
79df0dc76b1d7483be90a72367373113
SHA1: 0433c0bbfed1fe61ed09b41b518c96c948696cfc SHA256: 1f5fda8f45b17817c46fc636f13404bf9cce7763585b3beae51e4d1db134f698 SSDeep: 12:4CrquXyiJnrHjVBFtw/DAAk0mBihh8oRd93DQ:4qXfJnjxBP2JuvoRfU |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\22\323.RYK | 0.41 KB |
MD5:
cb86281727ea3943a558084b19f55123
SHA1: c0c21cc7662337b283862a09b3b37bb2dc598e90 SHA256: aba72fe58aa17accaa77bd9dbef02c880c23dd580e52ab91d06a15e13d5e0704 SSDeep: 6:+7gXCdlLuuJF5/0dADs+GdRszKlhCL6wHMZDfwgFq3xviwMXdYEWt1COY65c:Q1Lpf/VDqdrlhluMlwGwWd5W+OYX |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.bmp.RYK | 784.33 KB |
MD5:
90a2e4498f6135d4babfe250358578da
SHA1: 47fc80a76370b3071d4049b655c3bcb4eea6842a SHA256: 5d3567d7e8939ea60b3e5ca5f5f2d44356d24ba4b2c4545d391ffdb78311f9b1 SSDeep: 24576:qrofIkcxN3mW8bMVf/pGjW2BxybQyvHd2QbT5T:qMQ33mW8bM1/wq2B8LxNT |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\20\189.RYK | 0.41 KB |
MD5:
4c990e65ee2cd50f38c36f62c3751eec
SHA1: 578d595a782ab93a29b964ab645cef29aee90c5f SHA256: 2548b0c34e6a1eca11d1bb6a1746045bc6c9c31ec6f7e595268f7bc534573b0b SSDeep: 12:b1rY+uH2DnPliAOnONizytJQG39HdthXKl8Bo2V:bRI2DPl1rJn9HhXKKu2V |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\14\9664.RYK | 0.41 KB |
MD5:
285b49375336c31e3b10b8cc7522b7f7
SHA1: e9846fdeef152bc41c99bcb08212b9379ca5fa7c SHA256: 2d5ab8ad7e06796dee978ed0bd04c4e4de8ae32d837f44abe71de48cb5386b01 SSDeep: 6:JvmlPTkqpgiXGTdc/0bca6CizNwSxVcvZOW8BRTfFIcd707ixctcqtf/U5WB11bA:klLpZXEdccYRbpNDeZOl3ICCv/GWBmUi |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\195.RYK | 0.41 KB |
MD5:
bf9ca786b74ef58a3ad2634e846753b2
SHA1: 8554cbde6c0141a9afa5d9eb7cfd967dbf689c2d SHA256: 780950cfd48e0eef042f6e145b1c0133f2d6c7d80710b8b5c7b83ef0f650a4c4 SSDeep: 6:47hEJKgmO04l4CEli8tpXDtiTOEWV7FiZHoQgPLoWcKKhcBBjKjNqtjtgAYDgq2o:VJl50YQPtpTt8PWCeFLoKKWB/jMhHL9 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\196.RYK | 0.41 KB |
MD5:
6b3817a926f64c8492855624a29a004e
SHA1: e9c7a2d88e305bb59d5ed79a88d72bd8a239fcd6 SHA256: 1b03b2fcc46b2b4213e714f59fcb641419bc35772ee271e32f4e963fbe1b12ef SSDeep: 12:G3MS2Gx3gpx9sAmtc6+Icea8LneRKc7We6lkNvyS79VeDkd:G3MS2GxQFsXO6Ike4tlkNvyS7LeI |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.png.RYK | 5.55 KB |
MD5:
52165d4f97524bc73bab34f69e5f0130
SHA1: 0f483d6d9a0c0aa86b6e64a4b9be7fdf8f948644 SHA256: ebd00ac3f49456ce37f99d75aaa8e74951ea1d32eab4e44b13ed7caf68c07b33 SSDeep: 96:4vzAXkOWyiHd9QPrmCom6KgNeqRx6FTYRMmd5l7x/ziFGa8sPQmlvNKZOyQC/Q:iQ9yOrEXeqRx6FYXl7x/+FVhokEOG4 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\199.RYK | 0.41 KB |
MD5:
154dec0b3fda6ff6e080e361779f9418
SHA1: 00787022c0c3123160275a73e646c9866136feba SHA256: 6db5a2c81b36329e7684602c052f335d46d6ee6d076de16039a788f031cf9d97 SSDeep: 12:Qu9Ug8/hxQ2wptwIjIFio24neXnzAEEv2/:V9UtzBiycIFioPeUE+2/ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Project.lnk.RYK | 2.39 KB |
MD5:
4bdc3598145ec973e4db8215601a6370
SHA1: 6e3ed67dbf72b0b9ccb0950fb530c9b4362c5292 SHA256: b4f2eba0706bcc5fc0f2644e62cb28953f38e7bd8a2d63b1447aa647750f7963 SSDeep: 48:fXg9Bd4oAEJW5Tks96zOvKdz9pHPhhkMH3aCmpDxWp9T0QVi8E4Xc:fXMd4wJW5bKHPhhkMHKCmBxWP0SE4s |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.010.etl.RYK | 16.28 KB |
MD5:
12a3a8468899ae4fb1ff2886c32f7138
SHA1: f41bdbbca2d8358fd9ee3949deea1c6486cf6a38 SHA256: 21402673b864602d8cd36b27898cd69cefb37962b3d1277cf1009824820de193 SSDeep: 384:2TYblOeyap3oVA3HW+LG9EEO8O9Zb8WuG27PrMNy/tL:7lJxNoyWmGUbVuZ7wMtL |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\02\303.RYK | 0.44 KB |
MD5:
9af8836eb2cbe793fbe2d7fc9eca4a40
SHA1: 6ab266485e1278c23b9cba548bcea91878f5214d SHA256: 31774574d99851c4973356d102de9a7158c074d047dd569fe1bd738c4a521596 SSDeep: 6:sypUucT0zZbOjT0bhLVl8W3ooGTmv4mCki+rWTxeAunb6yaklWHeULOEQ+eIn:n3HzZbMyFLoohvSk6cAWb6yakY+UjL |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\263.RYK | 0.41 KB |
MD5:
b6fac1c69937387bab7ba1006e98e029
SHA1: 9da4d1918aa42cbe0f4cf3a0b91a732a28e053d6 SHA256: 1e19f6ac4217fef68d7c7f35a727fb20c337d03138052beedab26c784368a439 SSDeep: 12:YymV/qGve9UNTE9Vwmh6I02ur7W5G3wEvJHB:YHV/qh2u9VJP0/rS5ewEb |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Live\WLive48x48.png.RYK | 4.83 KB |
MD5:
6f45a70523a04b4a4b0fae69bf99c8dd
SHA1: 5128ff3caba5ca6ce777d522b5a44db9d28a65cf SHA256: ae6dc037c24031db07056f7185bf3208c8cc755368028d1315a6daa41be320ca SSDeep: 96:4yBEgu6YUE2rqrIFF4Dijqwo/LNxr9kIvRE1tTmK5qFg:V8OiYuWDo/5xJksRGtT5L |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-32.png.RYK | 0.67 KB |
MD5:
d710bcc0c380a7006a7a972df300c940
SHA1: 31c944a9ed8bb9d8372402e35008a47bd6b613c8 SHA256: 77d00168f976eb2c11a21f62226789e5431995c9efb4820d15b4dc12c2d6a639 SSDeep: 12:kPBZg2ILGwLR79AF4w18GLAoQh7glJ2fCJES5ud1HihfJKOOM+2bP:WBWDFKpPQ9K2fCWPrCjKOPrbP |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PrintDialog.lnk.RYK | 2.42 KB |
MD5:
f0897a7a54fd3affd7b66f91090050c4
SHA1: ccfabd1d77f7f51849c8280441cb7a0186562f22 SHA256: dffd7959987fc6c4e3afeff219bcd5b518fd468d5cbb1d90b4e6cef4e8f4d9db SSDeep: 48:IypcGBz9HECDsQTLW8NxpnngRlWMRv6sRrCPRb9dBnaHHX/G:ouZkCDsQ/x1GisRrCp5neHe |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol.RYK | 0.71 KB |
MD5:
d2ad0fb44819d965da98b741894dbc9f
SHA1: e0846919cfc513771a51a7771e4797b2e950f351 SHA256: 8f4ef08ff5ede81c56e574565df1a225caeb0903da7753b522d4da6ab7a1c857 SSDeep: 12:Cpzjs2lN41e+3pwFy7OzfV8iZ6kXo4AUOXDYZA4x5ivsgXE1kiJBEY:sns2lN4/Ox8iR4jU1+vsgX0TJBt |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\setup\refcount.ini.RYK | 0.30 KB |
MD5:
d5f76ec42c89319670e43df91477467c
SHA1: 0ca62bbdfd1a5d8a9dabc3b6a62fc6d9a6a50bf5 SHA256: 13556e3e718a993d78f75149e44fb0d9b49c9a100874b2d594a01d427a11dc14 SSDeep: 6:j83dO5VZluhpSezQjyuDoXhs8jVHW2JsIlCRw8q7rA19HXL1n:o3dOvZlunQjyuD8sUwzIYrIrA1lJ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\07\273.RYK | 0.41 KB |
MD5:
b386af410192b88af513ae8b485270a7
SHA1: 5a72ba2b5682ef3e390d7bd1851e18e29a46d49f SHA256: 3dedf987e02209e45a0d23f926998adf37d1bb3766b6ff2f9e38fafc46d2bcd0 SSDeep: 12:4O7is7G4CCigJrMOnIYVENFbGUXcjhkZtFrmBS6j:DBG4BiaQNRXcjyRyBj |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini.RYK | 0.64 KB |
MD5:
8bf58f675186a3d01cd87096e02d2904
SHA1: 6e479f7a85b86603fdb6dda90220e5bef3274e4b SHA256: c1bde4767cbb559ff635a13fbda741a2d84073cb6e72b11dd7a689c64daf4429 SSDeep: 12:P8iVDd4InUgb/QRmNFZfcVPapv8te5RIkRQK3g4iAlmMafQ8o3aG:NVDaq4mzZIiHRrhpBl31 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\272.RYK | 0.41 KB |
MD5:
7629a12eef49800a328e619448e1fe07
SHA1: cb657c65e6c9ca07cf539b3f135b6b44d24cc7f8 SHA256: 770f02ef462c58e8c1fbac9be2dfa70043f9ed04bf388e2b05a99495d68fa727 SSDeep: 12:nDDEs7oqV2mz35ztsocrMAHmVP2JzjP7tEv:nDDEoZj5irtHx9tEv |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini.RYK | 1.27 KB |
MD5:
d9a3776691ef46f21fa9e978105c6e9b
SHA1: d3d01c188811334cd6c1a5e610e71fe5bd5e037b SHA256: 8e1ef41d2047db0fe8d0d85b38ba6d6ca516ea1284e20c1ec4373cff42cfd6c1 SSDeep: 24:T7KdZCwBK2aUQMicwiutSnO3fqljgy/7zGbVJw/A7XU6mGn9:iXCwESQMhwiKSSyPGbV2JE9 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneDrive for Business.lnk.RYK | 2.42 KB |
MD5:
10e25a547f7b3cabb4164258d60a1c23
SHA1: b7f99d0b01e078a6a1ef2482dd84edc12786f637 SHA256: 5993f204ee9c29edf264ff80a81d76a6602305a7cc2ceede45a177d64229f839 SSDeep: 48:hWEjaOladIbu4dTTz3X8mPYxfmRVa57bgLtW7G6vwmXHxT8fSs6:hWE7cdSuoLn8VuR0T7GFmhT8S |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\10\197.RYK | 0.41 KB |
MD5:
ecc3604008f93b30130c986cb447e7f7
SHA1: 5e2da6f95873cf812264ca8dbe796660adee7440 SHA256: 76aa3120b15a65910d35226ca19d16ac52597748493accb106a47c74b372fc11 SSDeep: 12:wCQT/5Hwqa3JwZ69kSWM7HEbRGmacAPT4UPNd0mXzdeyAw:wHTBHf6JwA+M4b9A7PNdJeBw |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-192.png.RYK | 2.63 KB |
MD5:
a0ae83d0475f6aacfbe71322e94ab9b4
SHA1: 0974b5d847a3423d1b59c6b126c108fa9e3f40a6 SHA256: 72727a49a0e782d716d9bf7130b9072532488a5a81f03c7c8f7db85eb6c577a0 SSDeep: 48:Iqd8pz/VHIvoPF5rkiWX4TSDRKfqI1gEnNCrHpYyIb:MHIvqF5w3ITyKN19Nipfc |
|
|
| C:\Boot\BOOTSTAT.DAT | 64.28 KB |
MD5:
702aef55d4213f91cc1c01432223f600
SHA1: 966746a354830a2b728eb006130e2555b9868a9f SHA256: d74ec45c0cc70afc3a274682972e41f8e86161fc6294cba467f1b7ec7bbfa365 SSDeep: 768:qe6gt6WFO4F9Nm1YCUvnuYDf4ov4ZsTwkhD1R6dTSXUczJE7U3CPljfXcawWLaQ6:qexPt0kvnBfUsEo27U3gj/cRQXQhmjU |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Configure Java.lnk.RYK | 2.30 KB |
MD5:
0451cd8e5ad3e3ce7cd51607ba0b2edb
SHA1: 15abdd04867894e5ad06f94c483d8c82e582ebd6 SHA256: 389b55b662032427e0be1b02fe15360fa16b7ee85cdd5362fd3d9c3318c23e61 SSDeep: 48:aU3il2X76oEUl0cWqu45QDZ+7yJMlXWh1frSJ1zgsBqutluQ4:aU3i4mTLq9+Z+BlXWh1fszgyluQ4 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini.RYK | 0.55 KB |
MD5:
9bd5df84207eb6c41650ed6da87b4a3a
SHA1: a0f8d78bf5e889bafe75126c0486695b0ce018f3 SHA256: c01616bd776e84c888e1eb55b0e7d15b566193d91f7d61ba0896370b495c77fe SSDeep: 12:Vgz3EO36ZNc20PR1yVl9P3FTc7cKMsi+YZi2ZY9S/8/Jn:Kztqo22R1yV3vZUMsinE68x |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107002.RYK | 0.41 KB |
MD5:
80cb14e8a1a2b23893be7dff600837fb
SHA1: 2850bb19aeb721f46f7ae97f9c3ac5a944471e26 SHA256: 412f526da238dca1b6ff322da07b5acccb3c44aae3ae60e1ecc211b95a7fdd12 SSDeep: 6:rJEBtItuK9zhvqlD20h7kdJTWvso7+dttfmU9Upw14od9LEn/eCpTKC9MEU49UfM:ksuK9FCdWdJTzo7wtttBVE2YB4f3AD |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini.RYK | 0.64 KB |
MD5:
43857b91f40a580765dba15b43a24993
SHA1: 54ddb105e05d3f2173bd3f483c356edaf1ce5e6b SHA256: c760b60ec2cc1814193f3fa77dbeb6786d64fb9b0caacde16379f079a4f93bdf SSDeep: 12:w512u2OXqCpHrdo1rRjXUm4nhvju/dc+2NXSpgkcZLyjWjLBp:wZXqIdMVL1Mhvju/G+2N6JcmWjlp |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\317.RYK | 0.41 KB |
MD5:
35a19702037a706566f310a887b43c25
SHA1: 5dd6cf95941ef2a6e3f99d57d43fcaa15d5f5ef7 SHA256: 3b229e6a98e6c411a63de597896f58d5e969c63f6d5e40cd27ca8ea6c96c67b4 SSDeep: 12:Nb73AzlEK5piQeNnAt/awgtIt7c4gwae6cx:RAze2gNAN1gtIaFw5x |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\13\278.RYK | 0.41 KB |
MD5:
b3f85e51c8a34634a008fe6dfc9c5914
SHA1: 51e418fe13e612516c19a874a8d7af9c732f19e0 SHA256: 6f3d87f86129aa5ffb1f0acd475c549593fc5183ac18093960dc13a211be8179 SSDeep: 6:5Z6+GCyLiBYAn/mTkla7ReueoEbmLupt1mwEfO9yBBtIctzxt9oMpyu4vBjJn:H6+GxiBFviReVaLmZIBBBtIcNxfX4v7n |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.009.etl.RYK | 16.28 KB |
MD5:
3dc217c394623f6347c4cc2d1c04461b
SHA1: ca1f61e3fcdecf8e4da8dd1c00a961c166e850d8 SHA256: 943cbce40b8b5de4fb4cf40f17559fbe67e9749ce5ac494ade32194fbfd3a8f2 SSDeep: 384:PblSCnyjLOTxgMObnlqyeWUU1tHSrTbNqgz6dey:DnSsxgMOblqyjiAgu3 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini.RYK | 0.64 KB |
MD5:
af9e225f5c805ece5624412234903d0c
SHA1: 8a68be8c3106c088d9f7a1daf3da956a7df73ee4 SHA256: 7eefc929c7a5a291eeabbeec58c666f2a7045e6fa2f9adf337d745123a9343e7 SSDeep: 12:QvA4glM8zY78vKc3EQcDdUNFDShSQ9dKKhhjc4Q2kHjEZzPGB5QhM2IYVGgj+ojG:QYtlMUY6Kc86Dc/9dKKzrpawPs2IYra5 |
|
|
| C:\BOOTSECT.BAK | 8.28 KB |
MD5:
bf3e8cf77d7e4c61c060a656634bb1d3
SHA1: b89cad86cf0d7062c9bfcbfcc5c97eba63363bc4 SHA256: fb3ea50e58762538170de2cbaf4cbc808572b8230c8ca92325238fdcc229798e SSDeep: 192:LQ94zj7t3Y5zZqu/3kkE8LWo5PUyPq5FQA5nVWpqhX:Cw/t3QkkEyCbQ2x |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\271.RYK | 0.41 KB |
MD5:
b3336d741499b7751de89c91a3945822
SHA1: a1c4d3fee482dfae56bb5e3db160eada6b438360 SHA256: 6ed2ded9b8d9d55699347d7e5e2e8e2cbb5c122693410ebc0a59ad7ba7853fd5 SSDeep: 6:MyDrub98iS0pwKr+/46PDYgPZxv6G7A6mPRp8p7nHvrOsAk1smebTT00/kOawQt9:ju58iNdcYgPZxvlARp6p7nDDA4evAcJ8 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MpDiag.bin.RYK | 0.39 KB |
MD5:
a37e1f85525fc3dcb18ab17629e31b90
SHA1: 85c2f813d70e841fb3fd4b7a3e205e93843944a3 SHA256: 7e006f2a421f14ae365e707accffb2eb3f895f56be1ea8ea43a6759be2ed4cc8 SSDeep: 12:KJx0Bbc4f3fqJ5/uksyn9XxeeYDSdhZV9zl:SxKiJlJ9XMPD2D7 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\00\192.RYK | 0.41 KB |
MD5:
582b5373e9adc3d3e6890b204266f7bb
SHA1: 880bab8d42c6fa2484a596e2bc7994292e55b2e9 SHA256: 930e144147c4519f5b42bc97aac98bc6859eb95c7e9753382310b68059f2d786 SSDeep: 6:sL0ILjcm0t77Yl8pQPLIuc8xA42AqJXVTsZypheD2dlZuAqnwYJmP3O:sgIXr0t78gQPLICqQqNVTJluAqnwM8O |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneNote 2016.lnk.RYK | 2.61 KB |
MD5:
685ae223a9d670a6e06a26b3dafbc8cb
SHA1: a6aa2fe1b5dcf4511f636b97c1a5a21cc5b8a583 SHA256: d5257ab4158b4e0aac4ef185406ad52792a498bfb4ef4917d05101a25769c46e SSDeep: 48:8TzdGgdIRKhocOb48k7Y/lPIoZJLnQsrvQzYbfsilamI7ekKzEJ+3ypLZAJmX8uY:UrFgOwZZVnQ8vVfsiUdqUJEeK2P57yt |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini.RYK | 0.44 KB |
MD5:
8f0bd2751d8888a0c3091cd76b37546d
SHA1: 27ac87845d4737571358c527cda3fcf774f96b92 SHA256: 95362dc49e96d0c6d1acc12c5f1b3ec48f08460c0c268726d95176ad7f473b21 SSDeep: 6:ezw9Cd3SYL6/KQtv8POKK2NCVfwF3I+/aapmT9vR17v6XLENd8j7wVRYl27Bgzx4:eCCEYotvSRooF3JCOmT9vTpk7vxETv |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.0.xml.RYK | 2.21 KB |
MD5:
e1ed4fb520fa9410fc3c8efca74265ec
SHA1: 1c1a877cbb077f6b92c0f0d01c4eea2a8aeecf08 SHA256: e0f78f776e1b4de63537b1dd2798b900d054db03b45a71349818e42daa4fc852 SSDeep: 48:fBH1NaYMppJLkuFXTsFUB2y9g/rew5atT2EFLh8j8s8uZcKq6bh7Vwom:5VsYPu5Tkgt+DeGatTnFhI8s3ll7Vrm |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.012.etl.RYK | 16.28 KB |
MD5:
0b6a2c3f4092cb37d838c5523bfbbc47
SHA1: 4cd2dd6b349dc67ddf2f828baa6e07f84e574cf5 SHA256: 9d669000dc09e385f6efc78f65dad4a51abbaa03f215790dfb8a31ed7bb029c0 SSDeep: 384:LT+zVa9px+mMoIEjXjQgnlnEJr27KDAj2JSZHpTEokQKM7x:Sa9fsHEjXjznZi27KMKQpkA |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business 2016.lnk.RYK | 2.67 KB |
MD5:
c824da5e042f3957d7ab654663bf11bc
SHA1: ce15d10dff28236f795e6e9af5ec5a1aade2a12c SHA256: 19a055c97665e55aebb8d941939cb8f69f66050180ceaf7efff20d699d8273b8 SSDeep: 48:RuazFyYXXJUW3zn9anYIxL0L/LhIUjNAnVSxBG9YoAJem25:RBzFyiOWEYVWTVSO9YoAwm25 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.016.etl.RYK | 16.28 KB |
MD5:
d2d38885dd49b2b6f642e87064b7fde2
SHA1: 26ec60a3a6ea4aa47dcb5b06180c57ba666940c1 SHA256: 1758238f8144547d64112295f0cef1d5fd8cbd83fe637c889abdb2a0bf1efd2c SSDeep: 384:JBqCk77o2+F1orwu4gbMBeQ+zVbsc6Axyf:Jy7o2S/bBZyVn6A6 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.1.xml.RYK | 2.21 KB |
MD5:
ec6bdcdf00230fc91f34cbc500a50be5
SHA1: ffd0a3348c159606ce8f5cd7e6e236e2b14abd4e SHA256: 4ce5ae7bdc6692b854dbe0aab69650da1f1e0d1fbfab3c7c4e94432a54310da7 SSDeep: 48:UXYQswMypu9Ksnikh4Yl9TSgc9tEg8XqclyAqh9NrKPuoZG+/Q:Uhhzpu9Ksik+OTSgc9t8aEBqh9NrKPu7 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.2.xml.RYK | 1.63 KB |
MD5:
81fabab16451653a28ebef487db022a2
SHA1: bb820caecaa3c39f6e68ed754e86895370337b42 SHA256: 9d334b7737a39a370db1c87ccbee2fdbb24770320f3fe5cb6ab4436c4bcdd841 SSDeep: 48:tiHTazf4lGiD4Ox23bqOPZJQz5SH+MIN7Sb85s+IYd:OGzf4siD4Ox2zPZJc5H24f9 |
|
|
| C:\Documents and Settings\All Users\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp.RYK | 10.00 MB |
MD5:
83f9060c4e4f5a09e21fd91393da6d21
SHA1: 052b35ea11fe33b6dc01b8447dcf9fe139b66b18 SHA256: 148774551c19317a2c577572ce16d8ba8723d8780750f7718c0d9e73124ba216 SSDeep: 196608:F6aPNdKAVKIQtgzY9EyjVx2YxWCqoM4ffR/uRVr8E7ejFul:FRjKAVqtgzY9dWTCqSIGS |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.008.etl.RYK | 16.28 KB |
MD5:
0f2f7d3974fa9c24e7870bf7740b22c3
SHA1: 1fa5bf95d8050d8790c36e1205dcb972a06d9ce2 SHA256: 0cf59335bae48f528d795d1c0c49e600214c4ec5aba7be76befa30f58b1fd124 SSDeep: 384:Xq00gJbVRG1JO3p/DKQWz1kq+b/3nszn3FlDzQH9fvr:XL0glVRGP20+b3sznQH9fvr |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access 2016.lnk.RYK | 2.64 KB |
MD5:
a451dc4df9d263df1d01a3f5551599a0
SHA1: 7bc83ef2a6c74eaacfa38c146a278234dce9d2f7 SHA256: 6c1cf2e05de0a94c29e84ed5a8414c93ccbc163c1eafd90a14e6ae1b433de3c7 SSDeep: 48:aa71Sq5iP9QPchgrXHIS5UfxNniv0sgQKOCzD1evcrTfyTFP:dl2wHrXoSoxkvv5CzsEnyTt |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\dfrgui.lnk.RYK | 1.41 KB |
MD5:
777316fc48e1857257e66ecf6715262f
SHA1: c082d854b8bd43ce1c379dee2979ad0ccecc7ca0 SHA256: 668020e005935cba1e277a0242df8ab34fd742fef50676dd14fb3d25454e137c SSDeep: 24:B44AqzxaQ7gconPQc/dczojk/RcUHHsIGCFIAL3IuFT9ppZo8IF3DpClyv41B23K:B4vqFaagco//drA/RcecCTrIuFT9jZoo |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\13719.RYK | 0.41 KB |
MD5:
42ce4be818377bd65e970f4749562abc
SHA1: 028c68a48795066f6a0ec0a86f97db1950b97c2e SHA256: ad538458497141aa1a4f13e47742d4bc870eb7223e61c01db66d56a23be6cecd SSDeep: 6:8eIPxsSkopot4EV6FffSsrOFl6ZAWTXUKNNsKJ15+dOiuD3C0UX1Kns6lSx:uJzXGPLsS2AWrUI+KJ7+dODO0UlKs |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\10\267.RYK | 0.41 KB |
MD5:
53c971c11a197483cf3e854f5578b030
SHA1: b66341b360c29e02535890c7c003d7c947975396 SHA256: c1dec170ca8681be4ba886f42d5719e79eea8811dd2b24e60522dbe99ff418bb SSDeep: 12:eYERfNWkyVjhJ1A02CXkDnHHKDhgXR6LJHinjYk:eYERfhOjhTn2GMnb69HwL |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\09\13711.RYK | 0.41 KB |
MD5:
6cf57aa8093cb78a9c0dbd1cef4a5b87
SHA1: 081d2e9544e4305341f9d4da9b647f9992ddbcde SHA256: fd1ed3b5864a53e645b96d14cafe618d9a9b24b13358531104ac6159932d4e6a SSDeep: 12:UdntU68Xub9WWZclUDszAoeUgIBFUPbw9Wcq:untj8XO9DZ8yvUgpbwsf |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateUx.001.etl.RYK | 4.28 KB |
MD5:
495fc4c3037e26ac0b8d748bf4053f73
SHA1: afe563ba6e23bf69c9000669c10e15d51ea43ece SHA256: 20e2f95b3bf91acd2209a9db6d6b450ca90989130189c9d2753c1911fdc33b4d SSDeep: 96:VKRBDOg8xmyx11EcWCtiOsrh4nclTraSV2BNGZTjRHg1/Ep3W:ARBD38x9j6VCwbuERxg1/E9W |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\2\0000000000000000.idx.RYK | 0.36 KB |
MD5:
65deaec14db12ceae117df46bd445d57
SHA1: a85a8df49b09a729a22a3754b016f63bbdf95dc6 SHA256: f29c68a4ba02189535302cf2dfe4c476d1afbd671d8361ebcff5e2933233cdfc SSDeep: 6:AJlQ822C1pA3VOEPSGbgd8U1AkJBcnTndgrGyydSnFx0hYhTOBZ7Dhk0iZ/RaO4V:AJW2apIVOMbgd8U1jCnTnSGybnYihuZV |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.002.etl.RYK | 16.28 KB |
MD5:
5ba99386d83aa5d5d1421e09d94cfdf1
SHA1: 6e1444ac8c5611957809dce09d962b9d45790433 SHA256: 5124c4fb80afd1540243c8a8d7d032e97d74f4fd051d5c21d5be89b2e7f58c50 SSDeep: 384:JT5D4BNKlm6UdARaBJr0MHBDBl4xfdBYPVjI03:JtDUNKlVUdMaJNBl4xKl |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini.RYK | 0.44 KB |
MD5:
818524c9fb868422fa0d98f7b64df9ad
SHA1: 02d9737253c2690c6cfbfa2260f46be87ac27b99 SHA256: 2551ad99f1ed5216f8e3504c61e7f01d32212540cd044943e6a92722f64df1d0 SSDeep: 6:oTf5bRLroP2967ObbqKYwbvYK/QFpByop2eH+5rEvc+nF1ZEVfMAu4THdxCCL0IW:oTBFoipyDd2eetE0GF1ZE64THd8CLNur |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher.lnk.RYK | 2.63 KB |
MD5:
937b5b75555746e39e86c81437453305
SHA1: 7e57f216ff4b59727fd4e9ae17dc2ac48987096d SHA256: 26e05e88d52a09fc59ab8ec57738fed9a10cd9f147a60910b45e8dc16986ccd8 SSDeep: 48:H72NomybBAnFzPAW7BjwRHxoiUP7BXjnCWcR74MHed4PI:Hi5LAYoHu5PVznCF74MeWg |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\04\259.RYK | 0.41 KB |
MD5:
8bc6de009595a0abff15f2a63108ce19
SHA1: af87ec7fd4fb5d861e09c260ca13374c27d7cb45 SHA256: f02bcb736dacce3c1f52b3493380af928accf57d76a5c13e075806c946adcd04 SSDeep: 12:RFPDDtkCMxMuTLVrWI3sSy9E71MtWYLIXrWgNbqDS+Yr:RFPD2K7IcSOE71MtvLIyqr |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Snipping Tool.lnk.RYK | 1.38 KB |
MD5:
5fbfd9e6ca52babebdfb56e31006c0b7
SHA1: b89c577fb58071e4d6aee00e313f61cf3422bcfe SHA256: b0ec7cf45ed8c4ce236aea20e6fd4f3148bb31f5b458d0d95ac9b6c5a2196387 SSDeep: 24:lCPatxHXWn3O81QOfouUtdljiyewUYTZBD4nA59sakuuH7aSYcwZtEa9M7hlB87+:ESDn81QtRlepu0nu9ssIYcsO7PG0h |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\262.RYK | 0.41 KB |
MD5:
8401d089bc4389826078003313733efc
SHA1: 1dea16b945f601e762a19adaa6b6d9c338b16df2 SHA256: 748dd14bc0a0db9fbe472450ebc7f16fdb37e4e52f62bfdfdbf4990002ce25e6 SSDeep: 12:m/y5Wv1Q9gaWvGKWQXdjQju42if47zlqJqbN+dO07l7e:rWv75GiXCjZ2D70JuwTy |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Active.GRL.RYK | 14.89 KB |
MD5:
bc0c16eebdbd42680a61f3b726842724
SHA1: ab026ecd252d5733daa60863a1cb4cad597e3e8e SHA256: c0c4436b6f328426f8cd1098898f37cf0888f371608f932a245c8a7350693bd4 SSDeep: 384:AFQGrD1PvZtJEYWjuRaDo67CjN09MfkCnQ1b/jK/i1h4Gxwt:Ad1vZtJr5RadY09A7QVh1h4GWt |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Task Manager.lnk.RYK | 1.38 KB |
MD5:
28b0f6e23d60939b47109bc9e7aa46b0
SHA1: 2ee1d72b0a47d6a16770a20f2c30a0378a1facc7 SHA256: 93c14fe789473a8d445a3999cf59440e2662ea883388922c89173e9e2de3fe31 SSDeep: 24:572zM5zAgXp3IQeyxlkMOp9F9X39pNhnDt2nOfG+6BBeYq6Z8OzSknMCw:5yA5znXlIYkMW9FhtpNzDfGnnHpqOz9Q |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Default Programs.lnk.RYK | 1.50 KB |
MD5:
3473528fd1fad87753436fe5fbfb5204
SHA1: 92e9670f52b6ee4708be28c73c65e50727727a7f SHA256: f9aa2fcc3216f862dd416eb61e232d7ab2323c9f9af5ca682c1551f82c9dc834 SSDeep: 24:P0au5Qdj256Iz0bI+6asjo4/lS5zEBdCKyIlQeFVT2GoZqkNRK7uWTiESrm:P0anj25Vw0+6aA/kEB5NFVTDQVWz |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint.lnk.RYK | 2.67 KB |
MD5:
6c02d874ee7e2c1c82c283b62ae921b7
SHA1: 51aa72baccffaffb504c54760972912646475d08 SHA256: 55ce0399eb0312536948d194e18811e9780bd597b9229238967e81dbaa75ee0e SSDeep: 48:468N7BrHbnUfr4ey9568XL4CT7DG0Zz6Jr8+B6AYrR7GAP0MArSfg+uJbW:tw8r4eO88b4QGT8+B6NAZM2t8 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Visio.lnk.RYK | 2.38 KB |
MD5:
1a7b99f7737e4eac1ea2575907760f1b
SHA1: 275e110d65b62f98e22daf3a9d6b0754030bd6b2 SHA256: 77afe45d9aad1fcf0dc1f1ec3b4d612a2308f3b242af4848d973f9c4b64e59e7 SSDeep: 48:BtGnQLvAijkjFznmXplByB1sRd5cgkfqLhEgNCpOsiU3/947V4NUo:BtGnQLYWIBmXrQsRfkZFMszV4hwUo |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\XPS Viewer.lnk.RYK | 1.38 KB |
MD5:
041b1af554d37feba91cd96999254c1e
SHA1: 7941712d840bcce5a48e2a78e5b21c9f6f4d83e4 SHA256: 1732758e455ec764f9acf937a059c4025bbfbcdf1cf4bc45f3c96355c5bea1f6 SSDeep: 24:pDOfnt8l4L7HgcAwTy8ow7h61BuymmuVJkMcagRRqh1jxUVBX/m9UuMJr:pyVlL7HxAwTfNaIbPJo701jiVBumuMV |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.013.etl.RYK | 16.28 KB |
MD5:
002c877d7a885646c29c5fe511bd2afa
SHA1: 602081fd56e01318bd73d85efbd3c109e60d83a4 SHA256: 437510eb5e735465d5fbb67059ed085b024f916dc3a607d8609f53922d776cd2 SSDeep: 384:4I76vCipxo7y5RZURlDdkyzc1KHCi44ysbzsxlQM4wlMHl3azP:4IWaipxIoZURdjzc1WAwbzaaHd8P |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Immersive Control Panel.lnk.RYK | 2.56 KB |
MD5:
5a8dbf0cccdfb9cfba41ef35924eee57
SHA1: 884ab42b21353ed4de9e042e7de93c13456310a5 SHA256: 89948352961d83eb56f547b57c1005474f46d29f8e883426e922881884daed5f SSDeep: 48:iQUKMNPH+iOpxi8C2A88Hnq1EWBSgNNH7aLeuTIO4uS+qYegnc+wKzXD:VpYpmvCT8WUEwN0e1r+qYZz |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini.RYK | 0.72 KB |
MD5:
310bce0096c8db67dce6ee89f5ec7777
SHA1: 910242fbda5faf497dc91803ca13d4599f50a82f SHA256: 441e5c75b5e30c676a4372183433593877ecd76b77b081031df6592823db8720 SSDeep: 12:RpqiU+GwlmXtYW65MoPtCQDgnA7EyzNgPxv/CSaR1y8qiueMCkIy8W:/qiAXtjolCWyFIRo7iueED8W |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.006.etl.RYK | 16.28 KB |
MD5:
5d4e7f97c3f2ece11955f4a007926ecc
SHA1: 0fc61dbaf90ddc65fa0886425a0061e534b093a6 SHA256: d491146bfa79ebb60930aabf8d52bf53b50ceff894ccbfa769f58c54923e956f SSDeep: 384:RS6X/A5XJK7Mhd5RIPH3X02jKUQTClDQHBiBDd+zZEYLecsuL:Y5XJK7e5RIPXX0pClYBiv6EYLeG |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.019.etl.RYK | 4.28 KB |
MD5:
9b74e943e151edee8676e2b9a1fb6eaf
SHA1: 27437eb933192cdc6eea4a05e9d6c5f75032a46e SHA256: 88b58da76dc07b07ac9c11e479353d569ca46fc59ba71592a2caf0942fde9f97 SSDeep: 96:Zc2Oh1m8rKTwbpu6z4DqE4Q4wSHuk6LNElr5/OIYJCYLGA:ZLOtrKTwbIqSqEgF56R6rMJCcGA |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\288.RYK | 0.41 KB |
MD5:
ff9a310b8bfc40bc3c994b5bf3d4b524
SHA1: 877b20b97310c482f8f2e3235c7ff28ea9619a9d SHA256: 56662159639641b3708f2589d22eb2a9f5964573dcb5038082e3c291a9cff978 SSDeep: 6:5laMXVZ8/qsujvYSsETNy3595DYzYj9Wi6/i7scf+nAosHjHlF1i09MlBDIop4H:KKvJlTNu5vYzO99TfoAjF0vTDIopS |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini.RYK | 0.64 KB |
MD5:
8c0e38b7694b1c186aac76f0c053af63
SHA1: 2e2b547d74fe1cacb6fe9174f3ef973a4b9acdf1 SHA256: e04319c67519ccb22bdaf674eaaa59ec31d3caed16ae06a00d537bd922a62683 SSDeep: 12:TpopMgqTaBsaEVGeG9vPXQ1jXYabeAOgRkiU5/SaDFWQKtvw74si+pX5+y2lF5d3:TOWdatEVm9Q1caOgRJUhFZ4aBwy2lF55 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Math Input Panel.lnk.RYK | 1.42 KB |
MD5:
9a7d34692fe58732a1bc548ec0bad640
SHA1: c58b2d849e66b35ef96c66c486332cb7b776f600 SHA256: eb00e0f0badaca0d8a2073ac67581bd4a3d7e3c21d7093978b0619c8d68b293d SSDeep: 24:ILiUpsxcdji4TCOwatd/r1k0NgK+yjysIZjrobIVdM4PPJy3MyilckeDFRY3:ILiUpscdjfttFr0ymjrobWPkMyXDDF0 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\1\0000000000000000.idx.RYK | 0.36 KB |
MD5:
3e9e1897b4f8995a416526e97650be10
SHA1: 062ae347cd56691e3373efa06ed539ad5e5351e8 SHA256: 2a4e7d5cfae92db412153d87389be20a456538f4ffb1ade556574be1c56cb5b1 SSDeep: 6:3WXXQvKgnTDEtBZsdSy3knwGg5en+TTUXMeUeiFgqImCd2ujrt+qCrzzjeCE1PRq:Gn7IAdwGg5c78eUe6D1uCnmCb |
|
|
| c:\programdata\microsoft\windows\start menu\programs\word.lnk | 2.67 KB |
MD5:
4cf6a72182107d794f89af9fa109c7c9
SHA1: 88adb7f5a9bef403f5380139eadf5a59fae10b63 SHA256: 95f3c03b03088f3a39a57ffb768e5cc887d5862030efd7c0366e35826f7bf73e SSDeep: 48:e4yN0pYoD2j7EF2kcQgPyJBMKhwzGLNQY8iUUueDEhijGc2zzt7HbcAE+ggn:e4yN0DcEFNb9NrYPe4WxOt7wAE+gg |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Acrobat Reader DC.lnk.RYK | 2.67 KB |
MD5:
04984e83317ff1a0f952a6191df95c73
SHA1: 7a4d2e5e3c6618519b206ea6ec1eec9d7f380e9f SHA256: feafb55bd96cbefe1553b77d24b52f0b3a55a3d6ad756f9a92d9384cb4921668 SSDeep: 48:VLzl2c0bNZ/dgT8dySBcaIDfBl69fDy0OX1xCfYJZ6j46A7CGfQXJADaTvZ7pl:VLzlB0f/dc8dygI9kJRi6jLAGWCQaTd |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Wordpad.lnk.RYK | 1.41 KB |
MD5:
77244fabdab452432b0c778287c15c51
SHA1: 2652a839aea263b790931bd1ed26e9d1d097a727 SHA256: e9c626502bf607bbaf3b1d486a7a9caab72a65bdf751b8359ff49c5aa80bbf02 SSDeep: 24:FcWxcHSbIkns1tgsRzkZZEaRdaQtEPsTh5dBBUSh6MS2+v2ueZF3Aj3VFQ3O6IBG:qGIbt1Rz0LdaQPT3fBUADS2+uue/AjVI |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk.RYK | 1.60 KB |
MD5:
752fadca80c4b5034c3297bfbe480b82
SHA1: 5072e927f1f5cfa9a7b2dd21c516e4ee35e08d01 SHA256: d570c1ed7183392abbfcbedfce9a0c47ed0c2f23f7f33ad23a9ccd367aff9d31 SSDeep: 24:VCMtD+Gh/9fM9P2H7Nt116+Vl9eAko6fJLLfnPlPvrBbY8aiQhrUkfbMj:Vt+4M9ej119VuRJfNPlPvrhY7hrUGK |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook 2016.lnk.RYK | 2.63 KB |
MD5:
6dbb87d962637a43a1018d5ea22582d3
SHA1: 581d3ea976b7dc785d49c8d02aeb7621f924889b SHA256: 0eb4d2b8dc482e5d84e1bffb57da396bacbc2225121ed69f7944c8fe34b706e5 SSDeep: 48:inVE1e6zkEW3hmqk0Rv4A+XKuaaxIlzEoR260EL+xA59LfKbnSwTFu6r+Cx1:yVt6fWRl4jXTZxIOoR260EuI1SGwTFZ5 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Desktop.lnk.RYK | 1.11 KB |
MD5:
72b12150b9e8e6d3f68ec10a822a76a5
SHA1: c92a511850977135aaf6c6e8b1439b3499337098 SHA256: 0839040ee541ea5133d46a629a6cfac2f76b30e6ccbb9a0f63be7ff3237fd855 SSDeep: 24:4Okf0kNSHGzIK/BE8Lle8bKAGHjGL2Kf76a1yUWKPU2uByfOM6rbQpoS:49TdXnTL2Kf76+tuByJ6gGS |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.003.etl.RYK | 16.28 KB |
MD5:
a280d8682c9d8a63897738a7459d9da0
SHA1: 4f1c33ca2ae59c0a06ae549ade411ccfc420c97a SHA256: ef79000f628c0ae436ee676ee510b4acbcf1f3feb2816482c460bb767c353a31 SSDeep: 384:ohkFTkJcGugA5FX/ZAlI1amE5B0JArN0/140BSpp2+S:gigA7ZAXaJACd6p2+S |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.018.etl.RYK | 16.28 KB |
MD5:
49d4aed20bdad3e1028d5f6e047a1056
SHA1: f730330066343b5af33cf1cfa45978e542d695ba SHA256: 87ee8970b8462eefbad63a6b63cb4f8c89fe79f611ff5b3699545a7ab1c94d19 SSDeep: 384:mneKtbCcgTG7Zxxb/4j3ldXGPiAjR92eD9jw7BHBPd1:mvtGcgTGNjbQsi4F6d1 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.015.etl.RYK | 16.28 KB |
MD5:
8e354e9989db795649f74f1040522d04
SHA1: d81dc841f5ba47bdf3e968aa307ff89625479616 SHA256: f66d6b90fdcd86186aa9431e0915f963f01c5488f59808b2ca4b78c21f7e8c7f SSDeep: 384:ESkSc0ixfArEhmthYuHbgEOImGHq+7HI25/5kCiHpXVlHIv:XVc08Ey2YuHbgE5vh7yCypXVlHw |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\191.RYK | 0.41 KB |
MD5:
2626fd1be39722c62f29157edb9a19a6
SHA1: ff01374de5f1ce41962443c61e538dbe10e73773 SHA256: fa6f044f4c6e6fc6133693ecffa77c472d13a411f7ce7224ed4527427d4bc571 SSDeep: 12:ItIBKeZl6bumGA/KzRaJHoon9zTiLU1XUIt6:hYeZl6bV/wRaL9zTiL+XUIY |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Paint.lnk.RYK | 1.36 KB |
MD5:
99ffdf7d8f38dc8ad9d8b39477071bba
SHA1: d7f88b0b934be2b2dc66a48faefeb99bc52fcfc2 SHA256: 598dc49d018530561347fb87b456b7cbdcacd66c01c37251d17e16986ca1c623 SSDeep: 24:wJbKOyWR2jgVGEuL1TqZB+4Tz7QYZrb38E2qA0qIfmgHphfWUbieVZ3+vCv:wp1duBuZk43jZP1JHphfWU+0Z3j |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Pending.GRL.RYK | 14.89 KB |
MD5:
9f4d5cda1dcf4791919c1b081fc4e68c
SHA1: 286d788f69aba17a11ae9009bd1e60196c01ac9b SHA256: 858d55d383c8f3112fa54f77255a777440d50aabca4471638077ab65cbcdbf06 SSDeep: 192:Rbl0i3wdYlwmQ9Tyv4pc4ODYYvNLxQ36AfT4U6MvKnXDzjz7mUjxs/5CnlTl5N2b:RSi3wdswDE4po9u6wZFinXnjzXH2/QW |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-40.png.RYK | 0.71 KB |
MD5:
b00ec100de27322f824250102f19ac63
SHA1: a7c91356f45440b332bfbc74a8bcc761a8cbe434 SHA256: 8f5a127cf495511bcd1936f426704ce1a8a64a38dd914e907616f7e9742e14d7 SSDeep: 12:wM+2L0WgDS2BuCPwD4Z/nnvzxcE+aQCGs68twkfdtDlcAdiG288I6wTF9I2IsX3A:wM+YguJynntpbGKSQciiTkPFWs4b |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Project 2016.lnk.RYK | 2.69 KB |
MD5:
8e6ef7c7bb987eb4eb3c56526da48406
SHA1: 40693d36241cc03755f4c94d5739383f1ff95d2c SHA256: 642b93b5009f88c22edc925e94bb5189118a5974a6d4c95f80669f6bc100892d SSDeep: 48:BPttb8KzS9JMjggty607Gq/J5B+rgikzUFKglTe+AlJsm:+KEdgtlmPJPkn/Kqml2m |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\3\0000000000000000.idx.RYK | 0.36 KB |
MD5:
1ed18e9f8bc73d62cff87e08c995d1fd
SHA1: 9009aff9b1f3d73fa62dec7e65c272296c66a37e SHA256: c6a0ffd8869fef9285ab74c50d41167ed2236dd23a598d8815ef96841b7da862 SSDeep: 6:exE7WKutA99DWpBu8uiTSK6RoX2v8RuZC5tP7qyo6kNUgm4LXFkTtRBFaGhnhVM:nZutA99ys8uiT16RajRgCbPuynkNUf49 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\193.RYK | 0.41 KB |
MD5:
7b76b6d74bf8004f43036789597f5c44
SHA1: c9d9d792a550a32ef135efefbf586b5aa8d4d892 SHA256: 310053a94885a92b95610934e97a52b3d533e5326c602a10fe94b54dcb5a34c3 SSDeep: 6:UE1oHit0AJ0BGU0HjRa0+8412JZWBCjsDaGyAqPKkk7T4Ey06seR7n:UtHGXjc0W12TWBCjoaGZWkEsan |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.020.etl.RYK | 8.28 KB |
MD5:
be9665e4d942e2f71ee29b5d6129b66e
SHA1: f18120e0989309a44f098d8927f633ba4250b77c SHA256: 09c2ee369fa7ba313d1b2fe0a5d841cdd423b90afece23b411a46fa4241ed786 SSDeep: 192:xgGMWjiMiD5hbBvi7ey83cqdWa9OfEVZc8QGu1azt0abxFfNm4/ULl:x2WjLZ7eyBna9aEVZc8Hu100aj/ULl |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\328.RYK | 0.41 KB |
MD5:
897f61d6e8b523178e80232a582b6fe6
SHA1: eb8e1c28af3cbee7e8f5c14d206f2d647e00ab9e SHA256: 08c7b9b569c25bd8ab57bf1a9daa7433ea89b735c10ff60377e3c2b54602e073 SSDeep: 6:naOcTFQslQQ5WW8U264WzV01PtBgWwGBIIunK8tKENij3+MM/rRRH8ea/89wf:aOQ6slmW92PtWVIunK4mN4eEE |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Visit Java.com.url.RYK | 0.46 KB |
MD5:
43f5265250440d298f772d227a6cbbca
SHA1: 6f4905c1cfc9bff87c0b58e4b223ce9668dbdc3f SHA256: 1f6677f165ed45d3d52bde62b1c27a78c15b8c84221e9ba02c83cff39bc5be5d SSDeep: 12:rQAeLNI+GvuWapp8uSuurXcd0GDFV2GGfTtYwH4:rbaK+XFS9lGJ3ETv4 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Search.lnk.RYK | 1.83 KB |
MD5:
5a0bc7f25bba1d8b3e1efbc2bcdc0b30
SHA1: f27382371836fe9d7e34a2b63188cd084396979d SHA256: 942f2a8e4632dd3ec53938288a33d8bad5b874711a72f7fb01ca42c28b3fa2a0 SSDeep: 48:192UIhLUhSKu8a8IRQGmVJzm4ZtZO5sr1ZZ7dq+Y+84pliL:19jQLbz58IRQjzziCTZ5qHwDiL |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.007.etl.RYK | 16.28 KB |
MD5:
80af55303cca9f656d6b5ef31992221a
SHA1: 7ad3d884e32f50557bf5cf0c8470180802c77643 SHA256: f252ad4ec96e530f53745bf30dc0933d944742fd512341f5de79df483bda905c SSDeep: 384:ec5Hh4ByZgrIHKWvJlQIzUrn9bmh8iDOhfSH0+tMrk0:ec5HhuyG8HPfQACbv6Oha0z |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\266.RYK | 0.41 KB |
MD5:
8c1354ca9cacb50b80a8c315ce4de581
SHA1: 9dd8a4caf5cd8ae7ec1e9a4dcc7a1989e6a1c0ea SHA256: 75f5f8b392316f9c40200a4702922f62ace55d607feb72a7c5e6cc80917b11e5 SSDeep: 12:AUcA9ib/tfP2ZDYCxqQRa9OF4EZXTIqev2Yfw:AUcA9ib1fJCxq43DHV |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\09\287.RYK | 0.41 KB |
MD5:
4b26b66aed2b286e7e2ea4cd5f499fdb
SHA1: b47b8bfb514c172a17cefd07ed65f9d823683986 SHA256: 60e700b0734398c2146f951bd1b745f6506de51d6f1fb8270b0123ab5a76c5b2 SSDeep: 12:77eGVw574RJR2pWqB9xOWgGjRfQtNanqiE5R:/eGVw94R72plB90RaQ7TL |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\installcache_x64\baseimagefam8.RYK | 10.00 MB |
MD5:
029143b6383fe86a454616f35803ac5c
SHA1: b62e762d0972d7226e5f8936b7091aaf4b5970a4 SHA256: 52d4516f56e44a01f59e4952992ac95a422a86fe445133eefbb4e8a68a24a43d SSDeep: 196608:DShB9tJnyut0n46J7RgPGb/QfjIC3Qa1oc0kFgbQczUul9NA1B6Vdk6:gbJyM046JF1/QfXAaskFgbQyDlcb6 |
|
|
| c:\programdata\microsoft\windows\start menu\programs\outlook.lnk | 2.63 KB |
MD5:
2dc9cab5d1ff3af305ffb830065e55a3
SHA1: 54b547d09b1b94458e398ebaf7f2e6de29ee391a SHA256: e40be932ece2bacdd51fcb2fa83afb90a5bde6a2269874f30f491c198533f482 SSDeep: 48:4wKwpTglq4go6FhnGprxTV0bkCD5cPShzo8BMTHIIoPhgWe3UwKMhmaLvQs1D8:TKeTowFFhGprFKJ5cPazpSchg8XngP8 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini.RYK | 1.72 KB |
MD5:
b3c185fafa76cbd0bfd7c7a0c3b11aec
SHA1: bd2749f7e93dc97b670557d98090ecbb78c82720 SHA256: ab6894bcd74a8ffdc0cb1aa688af76ca4e30755e92018a83e23e59c6e669b986 SSDeep: 48:9MuF3+TyfT3ThZ2BWAdkjv3Of5hNjNfdd41oh:9MauTuT3WV+LWbda1a |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\198.RYK | 0.41 KB |
MD5:
720f139bcd011373468332faf75c82e8
SHA1: 5f8dca5e8297959ff998c4334b5c5016c8f50028 SHA256: e19a0d270bd1275c99384bc6cf5a4cc0e5267f3ca61937917a10c95d1202d965 SSDeep: 12:zcXexNtagriJ2Ry7qVV2g03AQ98wB41czweZxM:z1tagW0RyC23F8e4AxM |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url.RYK | 0.46 KB |
MD5:
f4583c59788e702a2ac5caec0c338fb8
SHA1: 131ea416e79ef2cf7123b496187ec4276a2b56a1 SHA256: 6741a5ca2ae4de5615280bf84f94fc659c134cc1eb12929af718a04eb2dba4be SSDeep: 12:dZ90vv8yxWLuvntQJS1csGcPahS/fG/4bd:dj0vv8XyvK/JcF/f9bd |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\2\61\EFAE1E6619D4EE51.dat.RYK | 0.50 KB |
MD5:
c0194a4b0363f78af2c8c8bde28e39af
SHA1: 5d514ec45ad0508ecd41d2690e30b636645e5692 SHA256: d2135651b1f7cb3c7e8c0110b5959f1331feb2d1cf1dfa754560c5773dda0a30 SSDeep: 12:PRnn3XPTyoobCV7o38vsESFtvJyURcJ+EvgH0Fjn4X6zR/+zMYre8ZVRE+3:Z3XPTyoMCVEE+vJe0rUJ4qzFwMGlE+3 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Sticky Notes.lnk.RYK | 1.44 KB |
MD5:
c9778d74f791cbc19a54cf6d214b5dba
SHA1: 8eb1e7c8b7abdd680f06e1db9bca7a78380953c5 SHA256: 01ca596829e509b18eb55398f4930161c942d2d027365182773a5132a098c568 SSDeep: 24:i89IOBpIksX0vDgu9k4/2WMkvzQb9dQ3RlhydhnjZKduQBHviKJ2zhwlK4PjMxOk:IA+F0rZ/Vs9dAOJjYpzjMxsq |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.001.etl.RYK | 16.28 KB |
MD5:
496c84cab32cc02a92069cae1f3c9e93
SHA1: 4bdcb563d43d3c5e7131b7bbd935096649729ba3 SHA256: bbd20b0fc3c98b525ab6d8edb4f7c6c5f26da9ccb079de603cd9d33ff37a8e1f SSDeep: 384:h0bAMRrtbyTeNiyYHDB6MtNLNyEWJY8iHNkR8oz:h08CbYMyQjY8iHNk8oz |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher 2016.lnk.RYK | 2.63 KB |
MD5:
2a9d6adbc8463ebfbc41e9213f043815
SHA1: 9df6e5943255e3dbf3eed84f919ed06bd88ea837 SHA256: 446ffb2b447c8311050dbee91b667dff64a4c2b81a203347f7406d6ffa3c6d56 SSDeep: 48:gS5JPduUaTPHBNNAnpNQRFo6cpi0MPKdeCLOqs9MmSwQvmtDVmFdjgY2ngJBPQz6:gS5pxcBAnjAtcZMCdxGSeQvWZmT0YwgN |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\260.RYK | 0.41 KB |
MD5:
bfe4bc8c896ab61ab8c6b5da8cef99b2
SHA1: 755aa0f20e3280002c5385f2266c95a0e603d141 SHA256: dabe533442dc4297e71711e2331054bd3c53699fb428ff1babd184a01f17ee09 SSDeep: 6:8weXdZoR6GIWqwKhx+Ppr+QuipHtvGjgPjVF9QXv9hj2RPL02rDZX5IF2wIcYVzV:8wqZoRXWIprhHPjVOFMbrD0YLcYVzZ3v |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\300.RYK | 0.41 KB |
MD5:
71462bc52883dc628df5167475377d52
SHA1: ea30e99c4078f3a01a5870f6e781f5243bad6b65 SHA256: 2b8dbfab648bb70dc67a55554aee118fdf740dd9389bd5299a7f4da9107bfa1f SSDeep: 6:COhTLUH62W37pHFUgA5m2FIDP0vD5Moh2olotyUp1iE6GxjwPtm1E9sGpkFQPOog:/J2W965IL0b5MoLqtyM1iE6Gxja/Chn |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word 2016.lnk.RYK | 2.67 KB |
MD5:
c94cc87e57428265dfa381dd00131182
SHA1: 4b663df1d21fb437d3a0e76b284079521d645818 SHA256: d1f325dc199be308a0c7f9c4fc1aaffb1ed76a58af2f58ca28446b76a94a25b5 SSDeep: 48:K1JxrOFI3f5R3IDUdkt6eC0oLQGRtOKI2veVc5D:eJxyFI3MUdk1KQkXNem |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.014.etl.RYK | 16.28 KB |
MD5:
09196d3ae7f71c556a36165e6e59cfc9
SHA1: 62b017fc4f4282db3fbcf24cba8ab8adc11fbeeb SHA256: ba03807813bb3c3e12fc7a394a50d57016bbf5e76a1bb14f60848d35d45265cc SSDeep: 384:zFnEpnWUNKjM4Yqhy7w93Q9hi39lAlSGYhvhkBIOBATLV/Epcv+:+IDLY2y7w93UW4YGYh62OBATL+8+ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\12\194.RYK | 0.41 KB |
MD5:
cf9ed7e0bacd06f2f67830becba4ae44
SHA1: 345f16513df7a04238f1797766a10bd12116e45a SHA256: 1bde1524f167dae98c8fd57c0a3386cb144db1fbf440a05a62860f980d86cbe3 SSDeep: 6:Cn8Rwm1TmxfDI+5Jhnx6D3PCQ/bww3nfNDSMwXcZ0xWQZOWkFocgrIZ5i53jgv:XyQmx7Pvx6D36QlPLZBYOWggc56q |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access.lnk.RYK | 2.64 KB |
MD5:
148978d073daf85a313c718ff7301615
SHA1: d2712091e0f82733684b2902a6f882d3f5018b9a SHA256: 1ba3f6a1b6cdbb4838ff32dfcc578ed6370041e27318ef1aa103206e47bd6993 SSDeep: 48:KvQ1tMBmhZJTvXEj3/9GJij4KP3KjblOIB0ZITBmcfBfIwIZT10k7sbwymw:K7Bmhvs3/3j+b4UBTvBAwGLsbwyJ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Visio 2016.lnk.RYK | 2.67 KB |
MD5:
1f3845de82214f16013c0260afd3c4c5
SHA1: 708220ed1b728c475ebf6a4d19c977494a9d50b4 SHA256: f07e5c76f281a4030019978359f9f55c369430b1eb7c7570c6d95907ae1f98da SSDeep: 48:VL6kh8urietAFhYdQuJ/gqxiIOaoyKIKxE0CswNs5jIlZskSGhKLwMM7QkwRXjq:VcueYAFhiQVMzK3xJCsr5jCZXKLw1wM |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\09\238.RYK | 0.41 KB |
MD5:
53e6a6d20c84315c083fdd763995b9b3
SHA1: 372e1ddcb509f764c4ae96e07b0c8df6344e17d9 SHA256: 6e5a9efc5083970a082b49cdacd9992a9a53cb151ae417960e9d7d9da1e42da2 SSDeep: 6:6sr6o1aQnTk5ozdJ55lItI9+B+Tlv1btewppbEUA1AroudTOgLf8VLTja+NIUomD:6sL1BhPr9JTBvppgU/9L0VekcCRn |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-48.png.RYK | 0.77 KB |
MD5:
54e270db7949406a75b693449878fa06
SHA1: 8e5ae13bf38b49639d82194db1499a502fd0ac60 SHA256: ff4b158d8c9270d47ef1b3ffb2cdade1e2dad8da66861f54486a045053365bbf SSDeep: 12:3MC5ZoWQA3AMGhErCzra0GW5EAws2qn837WC/LmMK6nl+gWQpPpQY+XGE:xZqWAThEOPa0GDVsbkfZKPgWQ1pQYQF |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.004.etl.RYK | 16.28 KB |
MD5:
c8d8c83257035fe5f15e0c393b6eac80
SHA1: 96a5f3a4d047621cfb1a0f5c19957815a4368684 SHA256: 7d6eb451c3fdf4f6f8b88a8083d4dcc95e6227b7fa7dbcb1d99468fb37d32384 SSDeep: 384:amu3tBjKS2br1uNTsvZ/AMD3Y/4hF3VIg4U+uDBonq+dcfan6R:amudBjKuNTsKMD3o6+gRBQQan6R |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini.RYK | 2.81 KB |
MD5:
52999f9c6fb9f1639bb1296510ed23aa
SHA1: 11884d0fec6825e6695b8da04dcbd156692f7012 SHA256: 2dc715398fc8a2c7df0beab3304684561fe6da3e47f90edcdfd395a5f64e4763 SSDeep: 48:pnUsCx48Ut6vvEXOpd3Sfl9FIxK+u7v1cE0qA6QsawCfqPVX3:pUsG456UXOp4fl9W/g1cUQLfqP5 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel 2016.lnk.RYK | 2.64 KB |
MD5:
fb4decf2376a7a8a56a3da684c561aa1
SHA1: aabde8d354e2a3ad2b46a09021c387aa8399f761 SHA256: 1fab73615175e61327f7bd19b3cba626775ac430866725a6168759d41dfdef90 SSDeep: 48:q5nX2KcEMJvXEtFUDE8DotC05g8z2ikabe9Ywbu/gR3ketTTae:q5X2KcEMJcFUDEc+/gA2ikabY1DUetv |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\10\286.RYK | 0.41 KB |
MD5:
bb1318d2f51f892ea4aa188777e1eb68
SHA1: 7fcea5702b735041bec84ab7bcd694ac6a8eff67 SHA256: 51a00a094a3c6541b6480f6e422c81303f7ee826a81ffdccac5235fa890fe290 SSDeep: 6:4tRRs5m11r3INFs6S3j8qmjRCqoWAKde57mZbT8IJmNZu43HenJlNfGOk58Azp7A:IsbN9Sz8q5Ow39GlMn70WCIebEo |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Steps Recorder.lnk.RYK | 1.35 KB |
MD5:
f2220d3b177e5df924a3a070bc1d887c
SHA1: e786ea7634166bc97189df63a9af38fa50653d16 SHA256: 6ecb1cc79301862a1a4a9ac3cae70f5c470e295ce5fd907171a3a8c1850ea057 SSDeep: 24:P1Qto976XFr1f1ww5ct2ZqPMcTj0N1kL6cMpajsqqyY93NZgp2jfc:Py44z2tt2qB/L6cIajsqNY933tTc |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.011.etl.RYK | 16.28 KB |
MD5:
92a9cfc3ebe6262674aafe5635ef361e
SHA1: 19a98da4d99a734911c90809f2e8cac7373c8b9e SHA256: 6bde61f0ed11233e1dc0a40a8f8aa5c2e4ee1792c3cc79f2b712ad852c9c559d SSDeep: 384:ctsLMJAmSdl7sYIoR3Vv4GsSYRh2gy/ssCqza3:JOAmSf7Sq+bgj9Cl |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\04\261.RYK | 0.41 KB |
MD5:
b313413745d1cf377ee39da2b5914160
SHA1: 82a595a77342973dd95dd7a56b0aad84db6e37f2 SHA256: 113394ff8bf7c465d1af4b904e47c54a4cddf2ec4a30b4167a5bcc87f831a6ca SSDeep: 6:Lfg4VDpx7dfxK1uRH0y1YnAoEJT5gWqWtzyqq+BuZyikhvTyo5VIWNpmy02:Rh4OH0ymn6JyW2+BuZyHvhmy02 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\11\200.RYK | 0.41 KB |
MD5:
9dda03b038d3686e61c7d40d7ec4762a
SHA1: 453c32e916198faaaff56216a1c3fc0c19ecb5b8 SHA256: 1fdc14dbdd2a0c34bc8c0a3bbde1720d92c78226e3ce1fdb8a65195f93b97e41 SSDeep: 12:teezP5OTZXMsgQiA507xltP6M2VgobK5/hqw:MezB6ViAS735sxbKL |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\06\13710.RYK | 0.41 KB |
MD5:
fe04ddfe4b39b1f0dd5811adfa314c81
SHA1: ebf042ad98d21faea24f1766e0a96439a1ad87ee SHA256: 53e66ec08c94c3687839659edc64c92ee2cba62dcebad48e982685165ca2959c SSDeep: 12:vGLbycebZO8Tr4FL5AtjEUkXhOYy/XtIomrc:vGLEbLTrWL5AtjElOYy/Xu1c |
|
|
| c:\programdata\adobe\arm\reader_17.012.20098\acrordrdcupd1800920044_incr.msp | 10.00 MB |
MD5:
96a8b7c995ee4ce88391a6eeff345b25
SHA1: 97222b04aabaf1e5e66ed37ff1bdb017be6d9ef2 SHA256: 0495ae6d8ff6a9f46535b7351899be2cc07b8744f3f908ed7a9cf033bd91396a SSDeep: 196608:F6aPNdhm69W1wNR5bnZzwitGRFJvW2YxWCqoM4ffR/uRVr8E7ejFul:FRjhm69W1wL5L6tvhTCqSIGS |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.017.etl.RYK | 16.28 KB |
MD5:
113973c1c3b2426fdc11bdfa1fd983ca
SHA1: dd42ba0a3265fd81c51b8480c46b6ae97e749ca2 SHA256: eb948d84c1bb3de04f0cc00fce46837246ce9e68ba284595e4a120d34a74f1dc SSDeep: 384:CjX6uJIPk6cZ9mReyeAr87JFvK+ASvTOahtYq97M9Vq8/v:CUSUleBJo+ALagA7qYG |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Check For Updates.lnk.RYK | 2.35 KB |
MD5:
2be63d3e8b90111158de45b4d2fde09d
SHA1: 5d01bade251126f7749526a81e7547101d39639d SHA256: be2a6aa83967a62e83740bcdf6e16bcdd18715c2146b948995d47e7b7c218acd SSDeep: 48:CVzxyaE6X1fit+v8xmRksHcMZmj/WGn36jX4fgoM7/kZS46eKvB70BJ7N:CVz4aESALxC3ZI4FMZS4YvB7aj |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedScenarios\Windows.Uif.static.RYK | 2.83 KB |
MD5:
492d95c58a73c1bab21bfee107762df4
SHA1: b81ccad64e0a1561fa326c4bac57792b71298eaf SHA256: c55c1a6eae189541c80c61ff9439a24d3974ffea66f7466612885a032d0a2b11 SSDeep: 48:07FLo9wUWl3BvzCK2w3MWxge9krlhdc0aSWHRYULUU5W2L1GXCC4E:t9wRlxvzD2lWx3ChaSIYULUh25GXGE |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\03\324.RYK | 0.41 KB |
MD5:
350a5cb5f71468efd09c4236024ba106
SHA1: 42776de1a4e02ec43682e6cbb13fe9e622eaa623 SHA256: d7cd79d324e4656642e877077e990fbda1119d07c8a96a8f4fe2589ca81e6144 SSDeep: 12:/Sa+JeFU9cPqiOBSr7JoPx3AhcAFfUqvLXua27j:/SzJf9yZO+7JOSSSUIDfyj |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\About Java.lnk.RYK | 2.33 KB |
MD5:
72cc412c36c756fe0385ca704ef99a9e
SHA1: 14bd5841328565fff0eff77b558b292cf1cdd9c7 SHA256: b5d14a2c4377215820e0ea71db18111903bf324123110957a30ab9a06073b9cc SSDeep: 48:BkKMsvVKe1KMS8Vl2PoVVbUyJ9rSyF1HWeQ3AnCyXIFxB/:BXjPSlPoVDLlF1fCyX2xZ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\services.lnk.RYK | 1.41 KB |
MD5:
d1d0252dff6f2daf498325c8ea1a9b9a
SHA1: b773956d1dc6d9a4401335e2c27e5192def734b2 SHA256: 8939044ac7b81e93dc8e11495970fa2320e24f80dbc4b36c0719a12e2ca9b4f8 SSDeep: 24:Njuho6QrwlR6HRxQ27FRl6MaJBPoHeYqj1d6fp+h/ZtTZDLwqIs2Eg:Nn6EwSH7HFRAjJBg+rj7954q6Eg |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.bmp.RYK | 784.33 KB |
MD5:
95f2c5da12900bed58473ed12fdc445d
SHA1: 0e397638e17901a4a85e9179d752ef564f3273ec SHA256: a6efb68654db862dd703d3292d53872e0abffedf576e932402774ec665f7d203 SSDeep: 24576:YLETE5vJJzvXjjdBIM3MSkJm446jpGrfY+Bl:0vJJzvzjf3R44wyBl |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107001.RYK | 0.41 KB |
MD5:
660769dd42a641946cadd10f756f617e
SHA1: 8e3c848f07217d3be8e7d5ebaa3ed2c87e11995f SHA256: ef0c58edc7302f739147b2bf963495e2a96bd490276c2303d0e12e21ed0f291c SSDeep: 6:ZtMv30QSeBGHWEv2kHkvtfvto58W0PtlVyQOpeJXHlM3c/spnA+BwbgsZytiav:Zav30QSupkHkv9+qFE+WFpA+BYFZycav |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint 2016.lnk.RYK | 2.67 KB |
MD5:
4d04d4d283cf8ee72161d904c6b52e1d
SHA1: 1fbbd5d2e17d796da8a88f8c4d0df11662c910dc SHA256: 48122524643d7a57acc76da2ff7a29e07d4bc84a3c95ddca95c3ab7b9a5aa978 SSDeep: 48:z44Qye8L7F3293JNwlRI+330UHScXddsnRoDO1QZhGY4QmeX36bhsMsw:z445ey7FekISTycXddsBQZ4Y4QBUhss |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.005.etl.RYK | 16.28 KB |
MD5:
bb9f5fb787cb68907b25dac51a58ec07
SHA1: 2df36d84b71d8778c65fb428837cf056a58f94bc SHA256: c15dd387060bab5496878fd500c90872e0f575c17362a6723f51b5683b0204b9 SSDeep: 384:CUk43vB09Y+rKQS8U+OZrZwGloyuwxjKQru1LbtGqOn+vm6bn/c:CUlp0CB8UpdZwMoUKQruBtJwOF/c |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Devices Flow.lnk.RYK | 2.42 KB |
MD5:
dbdc989ebc175288df25567e6574d141
SHA1: 35a3a154e640ee74323d1784d5a25c29bf522709 SHA256: 265cdb5b26ad8a6f366c102d8887992a80b103a199bf5e38948383942019a93f SSDeep: 48:hFra3ssHnWKoHVi5GJ1JNPUC6TCus6ibPMXVYSWi1vBiOCIc:zOrHnWq5Grz/UjdiAVYSgOfc |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business.lnk.RYK | 2.67 KB |
MD5:
1e5cd8013147a54bd3a517a6ef645641
SHA1: 0eecb08bb574fecf311e136728811f53f4696283 SHA256: 1a4a9fb770a2aac8158ab3b863c2618337be450cc389693a4bdbcb3820d3225f SSDeep: 48:ZD4T2uzMxJuEpPiVGWLWx+X216KeBS70ym9AEZBb+11ttIbQOzXr/kz:ZU6ukJu1Lu+X2167S7fm9lSnHIbQWr/q |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.021.etl.RYK | 8.28 KB |
MD5:
939f5e483b99f1d950c1af7d64c2ee61
SHA1: a5d960f7fcde6ef8e0691af983b0f8761a745e3f SHA256: a01540153f2895001dec437796a1e7086cf37af880dcfd10230773b15102bfdb SSDeep: 192:vcFy0rnut9b6rTC6IlABo9sa0zRC07KVpwPkp5IaS+djL+cSF9IoDU4:UFphMvsauGVm8p5IZaj6vF964 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini.RYK | 0.46 KB |
MD5:
74b1dd76b67464adcf5e839d8f9bac4e
SHA1: b1e0a3ab0e13d7504329ae90efa15569ee5347d9 SHA256: 7187ebe0df8e255d964921f0ec6f9703cfd1f25600b6dfa85cc6af5c3415eacf SSDeep: 12:c8jhkKx6ufyC169iv7twiTvL7shRzat91:rOq6e1gfi7L7uRAv |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.png.RYK | 5.55 KB |
MD5:
0b58e672201877415e53a45c0af4e5b5
SHA1: fe7c8e6ebd9eb2660cf0549a023cd63edb1d6972 SHA256: e9adec0efbeb47065822523337c031bc60e1a7c16b93ff609d11c777018afa6e SSDeep: 96:mQbqYYRVdSIJ6mnx3YK3/aI5KmDWRoIYZ+9zRzWoNP5W27HDAgffB1abUPA7AiP:mqqZVdHJDnx3l3/pi17PwccgfZ1abNB |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\MiracastView.lnk.RYK | 2.44 KB |
MD5:
648dee50c826b458787c577263837f74
SHA1: b16ed45419ab89023e4d852df40f8d27c529e924 SHA256: 05bdd6573f70f0ce18342d71473c0623ec27123d169ad34a1a9f72ad0f41429b SSDeep: 48:Z7KOOTaX/r/iL98CegLeFQNReuJBcAjyzHIVl/yieuv:QOO8/Em5AeFYReecjHCeuv |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini.RYK | 0.44 KB |
MD5:
fb505abe88344d21ffafa9303772837b
SHA1: c8d88ba934dced5a18a4d7eb3b569fd2ebd73d61 SHA256: afc3a5e3efd138967743381b0e6f6b6e235dd1c28c514aa8ec68fb09d3a05c7c SSDeep: 12:Pe6cta7tVtICTeknwgDYgyNbmkleuy06gGVxYn:PeLa77SHknwgkWz0jGVxY |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel.lnk.RYK | 2.64 KB |
MD5:
9de2b061032d3a1e9e3d18f22d7457b9
SHA1: e4590b393a962f5ea1f12b2df7589891fc6c945d SHA256: dbe74a24ea05cf2382d399ff4a1e40c6e922ccf320910aa2ac98c177dfd7efe7 SSDeep: 48:RbqrJ8yaRlDSSCFRQ/u04Bq/ce/l7KP3+zwlU4ArtMjNVxBEnGKUn/qgX7nYn6bQ:Rbqr+bItq5lGPOzwljfrBE6y+yD |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\13712.RYK | 0.41 KB |
MD5:
79df0dc76b1d7483be90a72367373113
SHA1: 0433c0bbfed1fe61ed09b41b518c96c948696cfc SHA256: 1f5fda8f45b17817c46fc636f13404bf9cce7763585b3beae51e4d1db134f698 SSDeep: 12:4CrquXyiJnrHjVBFtw/DAAk0mBihh8oRd93DQ:4qXfJnjxBP2JuvoRfU |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\22\323.RYK | 0.41 KB |
MD5:
cb86281727ea3943a558084b19f55123
SHA1: c0c21cc7662337b283862a09b3b37bb2dc598e90 SHA256: aba72fe58aa17accaa77bd9dbef02c880c23dd580e52ab91d06a15e13d5e0704 SSDeep: 6:+7gXCdlLuuJF5/0dADs+GdRszKlhCL6wHMZDfwgFq3xviwMXdYEWt1COY65c:Q1Lpf/VDqdrlhluMlwGwWd5W+OYX |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.bmp.RYK | 784.33 KB |
MD5:
90a2e4498f6135d4babfe250358578da
SHA1: 47fc80a76370b3071d4049b655c3bcb4eea6842a SHA256: 5d3567d7e8939ea60b3e5ca5f5f2d44356d24ba4b2c4545d391ffdb78311f9b1 SSDeep: 24576:qrofIkcxN3mW8bMVf/pGjW2BxybQyvHd2QbT5T:qMQ33mW8bM1/wq2B8LxNT |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\20\189.RYK | 0.41 KB |
MD5:
4c990e65ee2cd50f38c36f62c3751eec
SHA1: 578d595a782ab93a29b964ab645cef29aee90c5f SHA256: 2548b0c34e6a1eca11d1bb6a1746045bc6c9c31ec6f7e595268f7bc534573b0b SSDeep: 12:b1rY+uH2DnPliAOnONizytJQG39HdthXKl8Bo2V:bRI2DPl1rJn9HhXKKu2V |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\14\9664.RYK | 0.41 KB |
MD5:
285b49375336c31e3b10b8cc7522b7f7
SHA1: e9846fdeef152bc41c99bcb08212b9379ca5fa7c SHA256: 2d5ab8ad7e06796dee978ed0bd04c4e4de8ae32d837f44abe71de48cb5386b01 SSDeep: 6:JvmlPTkqpgiXGTdc/0bca6CizNwSxVcvZOW8BRTfFIcd707ixctcqtf/U5WB11bA:klLpZXEdccYRbpNDeZOl3ICCv/GWBmUi |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\195.RYK | 0.41 KB |
MD5:
bf9ca786b74ef58a3ad2634e846753b2
SHA1: 8554cbde6c0141a9afa5d9eb7cfd967dbf689c2d SHA256: 780950cfd48e0eef042f6e145b1c0133f2d6c7d80710b8b5c7b83ef0f650a4c4 SSDeep: 6:47hEJKgmO04l4CEli8tpXDtiTOEWV7FiZHoQgPLoWcKKhcBBjKjNqtjtgAYDgq2o:VJl50YQPtpTt8PWCeFLoKKWB/jMhHL9 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\196.RYK | 0.41 KB |
MD5:
6b3817a926f64c8492855624a29a004e
SHA1: e9c7a2d88e305bb59d5ed79a88d72bd8a239fcd6 SHA256: 1b03b2fcc46b2b4213e714f59fcb641419bc35772ee271e32f4e963fbe1b12ef SSDeep: 12:G3MS2Gx3gpx9sAmtc6+Icea8LneRKc7We6lkNvyS79VeDkd:G3MS2GxQFsXO6Ike4tlkNvyS7LeI |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.png.RYK | 5.55 KB |
MD5:
52165d4f97524bc73bab34f69e5f0130
SHA1: 0f483d6d9a0c0aa86b6e64a4b9be7fdf8f948644 SHA256: ebd00ac3f49456ce37f99d75aaa8e74951ea1d32eab4e44b13ed7caf68c07b33 SSDeep: 96:4vzAXkOWyiHd9QPrmCom6KgNeqRx6FTYRMmd5l7x/ziFGa8sPQmlvNKZOyQC/Q:iQ9yOrEXeqRx6FYXl7x/+FVhokEOG4 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\199.RYK | 0.41 KB |
MD5:
154dec0b3fda6ff6e080e361779f9418
SHA1: 00787022c0c3123160275a73e646c9866136feba SHA256: 6db5a2c81b36329e7684602c052f335d46d6ee6d076de16039a788f031cf9d97 SSDeep: 12:Qu9Ug8/hxQ2wptwIjIFio24neXnzAEEv2/:V9UtzBiycIFioPeUE+2/ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Project.lnk.RYK | 2.39 KB |
MD5:
4bdc3598145ec973e4db8215601a6370
SHA1: 6e3ed67dbf72b0b9ccb0950fb530c9b4362c5292 SHA256: b4f2eba0706bcc5fc0f2644e62cb28953f38e7bd8a2d63b1447aa647750f7963 SSDeep: 48:fXg9Bd4oAEJW5Tks96zOvKdz9pHPhhkMH3aCmpDxWp9T0QVi8E4Xc:fXMd4wJW5bKHPhhkMHKCmBxWP0SE4s |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.010.etl.RYK | 16.28 KB |
MD5:
12a3a8468899ae4fb1ff2886c32f7138
SHA1: f41bdbbca2d8358fd9ee3949deea1c6486cf6a38 SHA256: 21402673b864602d8cd36b27898cd69cefb37962b3d1277cf1009824820de193 SSDeep: 384:2TYblOeyap3oVA3HW+LG9EEO8O9Zb8WuG27PrMNy/tL:7lJxNoyWmGUbVuZ7wMtL |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\02\303.RYK | 0.44 KB |
MD5:
9af8836eb2cbe793fbe2d7fc9eca4a40
SHA1: 6ab266485e1278c23b9cba548bcea91878f5214d SHA256: 31774574d99851c4973356d102de9a7158c074d047dd569fe1bd738c4a521596 SSDeep: 6:sypUucT0zZbOjT0bhLVl8W3ooGTmv4mCki+rWTxeAunb6yaklWHeULOEQ+eIn:n3HzZbMyFLoohvSk6cAWb6yakY+UjL |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\263.RYK | 0.41 KB |
MD5:
b6fac1c69937387bab7ba1006e98e029
SHA1: 9da4d1918aa42cbe0f4cf3a0b91a732a28e053d6 SHA256: 1e19f6ac4217fef68d7c7f35a727fb20c337d03138052beedab26c784368a439 SSDeep: 12:YymV/qGve9UNTE9Vwmh6I02ur7W5G3wEvJHB:YHV/qh2u9VJP0/rS5ewEb |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Live\WLive48x48.png.RYK | 4.83 KB |
MD5:
6f45a70523a04b4a4b0fae69bf99c8dd
SHA1: 5128ff3caba5ca6ce777d522b5a44db9d28a65cf SHA256: ae6dc037c24031db07056f7185bf3208c8cc755368028d1315a6daa41be320ca SSDeep: 96:4yBEgu6YUE2rqrIFF4Dijqwo/LNxr9kIvRE1tTmK5qFg:V8OiYuWDo/5xJksRGtT5L |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-32.png.RYK | 0.67 KB |
MD5:
d710bcc0c380a7006a7a972df300c940
SHA1: 31c944a9ed8bb9d8372402e35008a47bd6b613c8 SHA256: 77d00168f976eb2c11a21f62226789e5431995c9efb4820d15b4dc12c2d6a639 SSDeep: 12:kPBZg2ILGwLR79AF4w18GLAoQh7glJ2fCJES5ud1HihfJKOOM+2bP:WBWDFKpPQ9K2fCWPrCjKOPrbP |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PrintDialog.lnk.RYK | 2.42 KB |
MD5:
f0897a7a54fd3affd7b66f91090050c4
SHA1: ccfabd1d77f7f51849c8280441cb7a0186562f22 SHA256: dffd7959987fc6c4e3afeff219bcd5b518fd468d5cbb1d90b4e6cef4e8f4d9db SSDeep: 48:IypcGBz9HECDsQTLW8NxpnngRlWMRv6sRrCPRb9dBnaHHX/G:ouZkCDsQ/x1GisRrCp5neHe |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol.RYK | 0.71 KB |
MD5:
d2ad0fb44819d965da98b741894dbc9f
SHA1: e0846919cfc513771a51a7771e4797b2e950f351 SHA256: 8f4ef08ff5ede81c56e574565df1a225caeb0903da7753b522d4da6ab7a1c857 SSDeep: 12:Cpzjs2lN41e+3pwFy7OzfV8iZ6kXo4AUOXDYZA4x5ivsgXE1kiJBEY:sns2lN4/Ox8iR4jU1+vsgX0TJBt |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\setup\refcount.ini.RYK | 0.30 KB |
MD5:
d5f76ec42c89319670e43df91477467c
SHA1: 0ca62bbdfd1a5d8a9dabc3b6a62fc6d9a6a50bf5 SHA256: 13556e3e718a993d78f75149e44fb0d9b49c9a100874b2d594a01d427a11dc14 SSDeep: 6:j83dO5VZluhpSezQjyuDoXhs8jVHW2JsIlCRw8q7rA19HXL1n:o3dOvZlunQjyuD8sUwzIYrIrA1lJ |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\07\273.RYK | 0.41 KB |
MD5:
b386af410192b88af513ae8b485270a7
SHA1: 5a72ba2b5682ef3e390d7bd1851e18e29a46d49f SHA256: 3dedf987e02209e45a0d23f926998adf37d1bb3766b6ff2f9e38fafc46d2bcd0 SSDeep: 12:4O7is7G4CCigJrMOnIYVENFbGUXcjhkZtFrmBS6j:DBG4BiaQNRXcjyRyBj |
|
|
| c:\users\public\desktop\acrobat reader dc.lnk | 2.36 KB |
MD5:
8a8bf0e9e88d8934aedda839881161d7
SHA1: 43f01c44a3d5b46cfff90086179b512786d823fa SHA256: 1c0cfc91b3a5461dcd54ba706cb0d537f3302beb5bb61fc93f46382aca967c82 SSDeep: 48:FDb/0ukJPLjKDNcoRi3NR7syWGO09wI3BcP/xbEyqKd0rhvtteEfG++v4+nn:J/dYfK2o2DAkBcPBzqKd0rhvT5GNvn |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini.RYK | 0.64 KB |
MD5:
8bf58f675186a3d01cd87096e02d2904
SHA1: 6e479f7a85b86603fdb6dda90220e5bef3274e4b SHA256: c1bde4767cbb559ff635a13fbda741a2d84073cb6e72b11dd7a689c64daf4429 SSDeep: 12:P8iVDd4InUgb/QRmNFZfcVPapv8te5RIkRQK3g4iAlmMafQ8o3aG:NVDaq4mzZIiHRrhpBl31 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\272.RYK | 0.41 KB |
MD5:
7629a12eef49800a328e619448e1fe07
SHA1: cb657c65e6c9ca07cf539b3f135b6b44d24cc7f8 SHA256: 770f02ef462c58e8c1fbac9be2dfa70043f9ed04bf388e2b05a99495d68fa727 SSDeep: 12:nDDEs7oqV2mz35ztsocrMAHmVP2JzjP7tEv:nDDEoZj5irtHx9tEv |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini.RYK | 1.27 KB |
MD5:
d9a3776691ef46f21fa9e978105c6e9b
SHA1: d3d01c188811334cd6c1a5e610e71fe5bd5e037b SHA256: 8e1ef41d2047db0fe8d0d85b38ba6d6ca516ea1284e20c1ec4373cff42cfd6c1 SSDeep: 24:T7KdZCwBK2aUQMicwiutSnO3fqljgy/7zGbVJw/A7XU6mGn9:iXCwESQMhwiKSSyPGbV2JE9 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneDrive for Business.lnk.RYK | 2.42 KB |
MD5:
10e25a547f7b3cabb4164258d60a1c23
SHA1: b7f99d0b01e078a6a1ef2482dd84edc12786f637 SHA256: 5993f204ee9c29edf264ff80a81d76a6602305a7cc2ceede45a177d64229f839 SSDeep: 48:hWEjaOladIbu4dTTz3X8mPYxfmRVa57bgLtW7G6vwmXHxT8fSs6:hWE7cdSuoLn8VuR0T7GFmhT8S |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\10\197.RYK | 0.41 KB |
MD5:
ecc3604008f93b30130c986cb447e7f7
SHA1: 5e2da6f95873cf812264ca8dbe796660adee7440 SHA256: 76aa3120b15a65910d35226ca19d16ac52597748493accb106a47c74b372fc11 SSDeep: 12:wCQT/5Hwqa3JwZ69kSWM7HEbRGmacAPT4UPNd0mXzdeyAw:wHTBHf6JwA+M4b9A7PNdJeBw |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-192.png.RYK | 2.63 KB |
MD5:
a0ae83d0475f6aacfbe71322e94ab9b4
SHA1: 0974b5d847a3423d1b59c6b126c108fa9e3f40a6 SHA256: 72727a49a0e782d716d9bf7130b9072532488a5a81f03c7c8f7db85eb6c577a0 SSDeep: 48:Iqd8pz/VHIvoPF5rkiWX4TSDRKfqI1gEnNCrHpYyIb:MHIvqF5w3ITyKN19Nipfc |
|
|
| C:\Boot\BOOTSTAT.DAT | 64.28 KB |
MD5:
702aef55d4213f91cc1c01432223f600
SHA1: 966746a354830a2b728eb006130e2555b9868a9f SHA256: d74ec45c0cc70afc3a274682972e41f8e86161fc6294cba467f1b7ec7bbfa365 SSDeep: 768:qe6gt6WFO4F9Nm1YCUvnuYDf4ov4ZsTwkhD1R6dTSXUczJE7U3CPljfXcawWLaQ6:qexPt0kvnBfUsEo27U3gj/cRQXQhmjU |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Configure Java.lnk.RYK | 2.30 KB |
MD5:
0451cd8e5ad3e3ce7cd51607ba0b2edb
SHA1: 15abdd04867894e5ad06f94c483d8c82e582ebd6 SHA256: 389b55b662032427e0be1b02fe15360fa16b7ee85cdd5362fd3d9c3318c23e61 SSDeep: 48:aU3il2X76oEUl0cWqu45QDZ+7yJMlXWh1frSJ1zgsBqutluQ4:aU3i4mTLq9+Z+BlXWh1fszgyluQ4 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini.RYK | 0.55 KB |
MD5:
9bd5df84207eb6c41650ed6da87b4a3a
SHA1: a0f8d78bf5e889bafe75126c0486695b0ce018f3 SHA256: c01616bd776e84c888e1eb55b0e7d15b566193d91f7d61ba0896370b495c77fe SSDeep: 12:Vgz3EO36ZNc20PR1yVl9P3FTc7cKMsi+YZi2ZY9S/8/Jn:Kztqo22R1yV3vZUMsinE68x |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107002.RYK | 0.41 KB |
MD5:
80cb14e8a1a2b23893be7dff600837fb
SHA1: 2850bb19aeb721f46f7ae97f9c3ac5a944471e26 SHA256: 412f526da238dca1b6ff322da07b5acccb3c44aae3ae60e1ecc211b95a7fdd12 SSDeep: 6:rJEBtItuK9zhvqlD20h7kdJTWvso7+dttfmU9Upw14od9LEn/eCpTKC9MEU49UfM:ksuK9FCdWdJTzo7wtttBVE2YB4f3AD |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini.RYK | 0.64 KB |
MD5:
43857b91f40a580765dba15b43a24993
SHA1: 54ddb105e05d3f2173bd3f483c356edaf1ce5e6b SHA256: c760b60ec2cc1814193f3fa77dbeb6786d64fb9b0caacde16379f079a4f93bdf SSDeep: 12:w512u2OXqCpHrdo1rRjXUm4nhvju/dc+2NXSpgkcZLyjWjLBp:wZXqIdMVL1Mhvju/G+2N6JcmWjlp |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\317.RYK | 0.41 KB |
MD5:
35a19702037a706566f310a887b43c25
SHA1: 5dd6cf95941ef2a6e3f99d57d43fcaa15d5f5ef7 SHA256: 3b229e6a98e6c411a63de597896f58d5e969c63f6d5e40cd27ca8ea6c96c67b4 SSDeep: 12:Nb73AzlEK5piQeNnAt/awgtIt7c4gwae6cx:RAze2gNAN1gtIaFw5x |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\13\278.RYK | 0.41 KB |
MD5:
b3f85e51c8a34634a008fe6dfc9c5914
SHA1: 51e418fe13e612516c19a874a8d7af9c732f19e0 SHA256: 6f3d87f86129aa5ffb1f0acd475c549593fc5183ac18093960dc13a211be8179 SSDeep: 6:5Z6+GCyLiBYAn/mTkla7ReueoEbmLupt1mwEfO9yBBtIctzxt9oMpyu4vBjJn:H6+GxiBFviReVaLmZIBBBtIcNxfX4v7n |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.009.etl.RYK | 16.28 KB |
MD5:
3dc217c394623f6347c4cc2d1c04461b
SHA1: ca1f61e3fcdecf8e4da8dd1c00a961c166e850d8 SHA256: 943cbce40b8b5de4fb4cf40f17559fbe67e9749ce5ac494ade32194fbfd3a8f2 SSDeep: 384:PblSCnyjLOTxgMObnlqyeWUU1tHSrTbNqgz6dey:DnSsxgMOblqyjiAgu3 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini.RYK | 0.64 KB |
MD5:
af9e225f5c805ece5624412234903d0c
SHA1: 8a68be8c3106c088d9f7a1daf3da956a7df73ee4 SHA256: 7eefc929c7a5a291eeabbeec58c666f2a7045e6fa2f9adf337d745123a9343e7 SSDeep: 12:QvA4glM8zY78vKc3EQcDdUNFDShSQ9dKKhhjc4Q2kHjEZzPGB5QhM2IYVGgj+ojG:QYtlMUY6Kc86Dc/9dKKzrpawPs2IYra5 |
|
|
| C:\BOOTSECT.BAK | 8.28 KB |
MD5:
bf3e8cf77d7e4c61c060a656634bb1d3
SHA1: b89cad86cf0d7062c9bfcbfcc5c97eba63363bc4 SHA256: fb3ea50e58762538170de2cbaf4cbc808572b8230c8ca92325238fdcc229798e SSDeep: 192:LQ94zj7t3Y5zZqu/3kkE8LWo5PUyPq5FQA5nVWpqhX:Cw/t3QkkEyCbQ2x |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\271.RYK | 0.41 KB |
MD5:
b3336d741499b7751de89c91a3945822
SHA1: a1c4d3fee482dfae56bb5e3db160eada6b438360 SHA256: 6ed2ded9b8d9d55699347d7e5e2e8e2cbb5c122693410ebc0a59ad7ba7853fd5 SSDeep: 6:MyDrub98iS0pwKr+/46PDYgPZxv6G7A6mPRp8p7nHvrOsAk1smebTT00/kOawQt9:ju58iNdcYgPZxvlARp6p7nDDA4evAcJ8 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MpDiag.bin.RYK | 0.39 KB |
MD5:
a37e1f85525fc3dcb18ab17629e31b90
SHA1: 85c2f813d70e841fb3fd4b7a3e205e93843944a3 SHA256: 7e006f2a421f14ae365e707accffb2eb3f895f56be1ea8ea43a6759be2ed4cc8 SSDeep: 12:KJx0Bbc4f3fqJ5/uksyn9XxeeYDSdhZV9zl:SxKiJlJ9XMPD2D7 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\00\192.RYK | 0.41 KB |
MD5:
582b5373e9adc3d3e6890b204266f7bb
SHA1: 880bab8d42c6fa2484a596e2bc7994292e55b2e9 SHA256: 930e144147c4519f5b42bc97aac98bc6859eb95c7e9753382310b68059f2d786 SSDeep: 6:sL0ILjcm0t77Yl8pQPLIuc8xA42AqJXVTsZypheD2dlZuAqnwYJmP3O:sgIXr0t78gQPLICqQqNVTJluAqnwM8O |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneNote 2016.lnk.RYK | 2.61 KB |
MD5:
685ae223a9d670a6e06a26b3dafbc8cb
SHA1: a6aa2fe1b5dcf4511f636b97c1a5a21cc5b8a583 SHA256: d5257ab4158b4e0aac4ef185406ad52792a498bfb4ef4917d05101a25769c46e SSDeep: 48:8TzdGgdIRKhocOb48k7Y/lPIoZJLnQsrvQzYbfsilamI7ekKzEJ+3ypLZAJmX8uY:UrFgOwZZVnQ8vVfsiUdqUJEeK2P57yt |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini.RYK | 0.44 KB |
MD5:
8f0bd2751d8888a0c3091cd76b37546d
SHA1: 27ac87845d4737571358c527cda3fcf774f96b92 SHA256: 95362dc49e96d0c6d1acc12c5f1b3ec48f08460c0c268726d95176ad7f473b21 SSDeep: 6:ezw9Cd3SYL6/KQtv8POKK2NCVfwF3I+/aapmT9vR17v6XLENd8j7wVRYl27Bgzx4:eCCEYotvSRooF3JCOmT9vTpk7vxETv |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.0.xml.RYK | 2.21 KB |
MD5:
e1ed4fb520fa9410fc3c8efca74265ec
SHA1: 1c1a877cbb077f6b92c0f0d01c4eea2a8aeecf08 SHA256: e0f78f776e1b4de63537b1dd2798b900d054db03b45a71349818e42daa4fc852 SSDeep: 48:fBH1NaYMppJLkuFXTsFUB2y9g/rew5atT2EFLh8j8s8uZcKq6bh7Vwom:5VsYPu5Tkgt+DeGatTnFhI8s3ll7Vrm |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.012.etl.RYK | 16.28 KB |
MD5:
0b6a2c3f4092cb37d838c5523bfbbc47
SHA1: 4cd2dd6b349dc67ddf2f828baa6e07f84e574cf5 SHA256: 9d669000dc09e385f6efc78f65dad4a51abbaa03f215790dfb8a31ed7bb029c0 SSDeep: 384:LT+zVa9px+mMoIEjXjQgnlnEJr27KDAj2JSZHpTEokQKM7x:Sa9fsHEjXjznZi27KMKQpkA |
|
|
| c:\programdata\adobe\arm\reader_17.012.20098\acrordrdcupd1800920044_incr.msp | 10.00 MB |
MD5:
c07efece4d0d44f8c6284eb43066f45e
SHA1: ba9dbe8c2553ec95c5945004a0251d2929ce9583 SHA256: 010ae2bb6c236e2fbe5a8f58d23267a66b6ddf0d81d8b774f07d684b783e1e75 SSDeep: 196608:F6aPNdKvwNR5bnZzwitGRFJvW2YxWCqoM4ffR/uRVr8E7ejFul:FRjKvwL5L6tvhTCqSIGS |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business 2016.lnk.RYK | 2.67 KB |
MD5:
c824da5e042f3957d7ab654663bf11bc
SHA1: ce15d10dff28236f795e6e9af5ec5a1aade2a12c SHA256: 19a055c97665e55aebb8d941939cb8f69f66050180ceaf7efff20d699d8273b8 SSDeep: 48:RuazFyYXXJUW3zn9anYIxL0L/LhIUjNAnVSxBG9YoAJem25:RBzFyiOWEYVWTVSO9YoAwm25 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.016.etl.RYK | 16.28 KB |
MD5:
d2d38885dd49b2b6f642e87064b7fde2
SHA1: 26ec60a3a6ea4aa47dcb5b06180c57ba666940c1 SHA256: 1758238f8144547d64112295f0cef1d5fd8cbd83fe637c889abdb2a0bf1efd2c SSDeep: 384:JBqCk77o2+F1orwu4gbMBeQ+zVbsc6Axyf:Jy7o2S/bBZyVn6A6 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.1.xml.RYK | 2.21 KB |
MD5:
ec6bdcdf00230fc91f34cbc500a50be5
SHA1: ffd0a3348c159606ce8f5cd7e6e236e2b14abd4e SHA256: 4ce5ae7bdc6692b854dbe0aab69650da1f1e0d1fbfab3c7c4e94432a54310da7 SSDeep: 48:UXYQswMypu9Ksnikh4Yl9TSgc9tEg8XqclyAqh9NrKPuoZG+/Q:Uhhzpu9Ksik+OTSgc9t8aEBqh9NrKPu7 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.2.xml.RYK | 1.63 KB |
MD5:
81fabab16451653a28ebef487db022a2
SHA1: bb820caecaa3c39f6e68ed754e86895370337b42 SHA256: 9d334b7737a39a370db1c87ccbee2fdbb24770320f3fe5cb6ab4436c4bcdd841 SSDeep: 48:tiHTazf4lGiD4Ox23bqOPZJQz5SH+MIN7Sb85s+IYd:OGzf4siD4Ox2zPZJc5H24f9 |
|
|
| C:\Documents and Settings\All Users\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp.RYK | 10.00 MB |
MD5:
83f9060c4e4f5a09e21fd91393da6d21
SHA1: 052b35ea11fe33b6dc01b8447dcf9fe139b66b18 SHA256: 148774551c19317a2c577572ce16d8ba8723d8780750f7718c0d9e73124ba216 SSDeep: 196608:F6aPNdKAVKIQtgzY9EyjVx2YxWCqoM4ffR/uRVr8E7ejFul:FRjKAVqtgzY9dWTCqSIGS |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.008.etl.RYK | 16.28 KB |
MD5:
0f2f7d3974fa9c24e7870bf7740b22c3
SHA1: 1fa5bf95d8050d8790c36e1205dcb972a06d9ce2 SHA256: 0cf59335bae48f528d795d1c0c49e600214c4ec5aba7be76befa30f58b1fd124 SSDeep: 384:Xq00gJbVRG1JO3p/DKQWz1kq+b/3nszn3FlDzQH9fvr:XL0glVRGP20+b3sznQH9fvr |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access 2016.lnk.RYK | 2.64 KB |
MD5:
a451dc4df9d263df1d01a3f5551599a0
SHA1: 7bc83ef2a6c74eaacfa38c146a278234dce9d2f7 SHA256: 6c1cf2e05de0a94c29e84ed5a8414c93ccbc163c1eafd90a14e6ae1b433de3c7 SSDeep: 48:aa71Sq5iP9QPchgrXHIS5UfxNniv0sgQKOCzD1evcrTfyTFP:dl2wHrXoSoxkvv5CzsEnyTt |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\dfrgui.lnk.RYK | 1.41 KB |
MD5:
777316fc48e1857257e66ecf6715262f
SHA1: c082d854b8bd43ce1c379dee2979ad0ccecc7ca0 SHA256: 668020e005935cba1e277a0242df8ab34fd742fef50676dd14fb3d25454e137c SSDeep: 24:B44AqzxaQ7gconPQc/dczojk/RcUHHsIGCFIAL3IuFT9ppZo8IF3DpClyv41B23K:B4vqFaagco//drA/RcecCTrIuFT9jZoo |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\13719.RYK | 0.41 KB |
MD5:
42ce4be818377bd65e970f4749562abc
SHA1: 028c68a48795066f6a0ec0a86f97db1950b97c2e SHA256: ad538458497141aa1a4f13e47742d4bc870eb7223e61c01db66d56a23be6cecd SSDeep: 6:8eIPxsSkopot4EV6FffSsrOFl6ZAWTXUKNNsKJ15+dOiuD3C0UX1Kns6lSx:uJzXGPLsS2AWrUI+KJ7+dODO0UlKs |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\10\267.RYK | 0.41 KB |
MD5:
53c971c11a197483cf3e854f5578b030
SHA1: b66341b360c29e02535890c7c003d7c947975396 SHA256: c1dec170ca8681be4ba886f42d5719e79eea8811dd2b24e60522dbe99ff418bb SSDeep: 12:eYERfNWkyVjhJ1A02CXkDnHHKDhgXR6LJHinjYk:eYERfhOjhTn2GMnb69HwL |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\09\13711.RYK | 0.41 KB |
MD5:
6cf57aa8093cb78a9c0dbd1cef4a5b87
SHA1: 081d2e9544e4305341f9d4da9b647f9992ddbcde SHA256: fd1ed3b5864a53e645b96d14cafe618d9a9b24b13358531104ac6159932d4e6a SSDeep: 12:UdntU68Xub9WWZclUDszAoeUgIBFUPbw9Wcq:untj8XO9DZ8yvUgpbwsf |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateUx.001.etl.RYK | 4.28 KB |
MD5:
495fc4c3037e26ac0b8d748bf4053f73
SHA1: afe563ba6e23bf69c9000669c10e15d51ea43ece SHA256: 20e2f95b3bf91acd2209a9db6d6b450ca90989130189c9d2753c1911fdc33b4d SSDeep: 96:VKRBDOg8xmyx11EcWCtiOsrh4nclTraSV2BNGZTjRHg1/Ep3W:ARBD38x9j6VCwbuERxg1/E9W |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\2\0000000000000000.idx.RYK | 0.36 KB |
MD5:
65deaec14db12ceae117df46bd445d57
SHA1: a85a8df49b09a729a22a3754b016f63bbdf95dc6 SHA256: f29c68a4ba02189535302cf2dfe4c476d1afbd671d8361ebcff5e2933233cdfc SSDeep: 6:AJlQ822C1pA3VOEPSGbgd8U1AkJBcnTndgrGyydSnFx0hYhTOBZ7Dhk0iZ/RaO4V:AJW2apIVOMbgd8U1jCnTnSGybnYihuZV |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.002.etl.RYK | 16.28 KB |
MD5:
5ba99386d83aa5d5d1421e09d94cfdf1
SHA1: 6e1444ac8c5611957809dce09d962b9d45790433 SHA256: 5124c4fb80afd1540243c8a8d7d032e97d74f4fd051d5c21d5be89b2e7f58c50 SSDeep: 384:JT5D4BNKlm6UdARaBJr0MHBDBl4xfdBYPVjI03:JtDUNKlVUdMaJNBl4xKl |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini.RYK | 0.44 KB |
MD5:
818524c9fb868422fa0d98f7b64df9ad
SHA1: 02d9737253c2690c6cfbfa2260f46be87ac27b99 SHA256: 2551ad99f1ed5216f8e3504c61e7f01d32212540cd044943e6a92722f64df1d0 SSDeep: 6:oTf5bRLroP2967ObbqKYwbvYK/QFpByop2eH+5rEvc+nF1ZEVfMAu4THdxCCL0IW:oTBFoipyDd2eetE0GF1ZE64THd8CLNur |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher.lnk.RYK | 2.63 KB |
MD5:
937b5b75555746e39e86c81437453305
SHA1: 7e57f216ff4b59727fd4e9ae17dc2ac48987096d SHA256: 26e05e88d52a09fc59ab8ec57738fed9a10cd9f147a60910b45e8dc16986ccd8 SSDeep: 48:H72NomybBAnFzPAW7BjwRHxoiUP7BXjnCWcR74MHed4PI:Hi5LAYoHu5PVznCF74MeWg |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\04\259.RYK | 0.41 KB |
MD5:
8bc6de009595a0abff15f2a63108ce19
SHA1: af87ec7fd4fb5d861e09c260ca13374c27d7cb45 SHA256: f02bcb736dacce3c1f52b3493380af928accf57d76a5c13e075806c946adcd04 SSDeep: 12:RFPDDtkCMxMuTLVrWI3sSy9E71MtWYLIXrWgNbqDS+Yr:RFPD2K7IcSOE71MtvLIyqr |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Snipping Tool.lnk.RYK | 1.38 KB |
MD5:
5fbfd9e6ca52babebdfb56e31006c0b7
SHA1: b89c577fb58071e4d6aee00e313f61cf3422bcfe SHA256: b0ec7cf45ed8c4ce236aea20e6fd4f3148bb31f5b458d0d95ac9b6c5a2196387 SSDeep: 24:lCPatxHXWn3O81QOfouUtdljiyewUYTZBD4nA59sakuuH7aSYcwZtEa9M7hlB87+:ESDn81QtRlepu0nu9ssIYcsO7PG0h |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\262.RYK | 0.41 KB |
MD5:
8401d089bc4389826078003313733efc
SHA1: 1dea16b945f601e762a19adaa6b6d9c338b16df2 SHA256: 748dd14bc0a0db9fbe472450ebc7f16fdb37e4e52f62bfdfdbf4990002ce25e6 SSDeep: 12:m/y5Wv1Q9gaWvGKWQXdjQju42if47zlqJqbN+dO07l7e:rWv75GiXCjZ2D70JuwTy |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Active.GRL.RYK | 14.89 KB |
MD5:
bc0c16eebdbd42680a61f3b726842724
SHA1: ab026ecd252d5733daa60863a1cb4cad597e3e8e SHA256: c0c4436b6f328426f8cd1098898f37cf0888f371608f932a245c8a7350693bd4 SSDeep: 384:AFQGrD1PvZtJEYWjuRaDo67CjN09MfkCnQ1b/jK/i1h4Gxwt:Ad1vZtJr5RadY09A7QVh1h4GWt |
|
|
| c:\programdata\microsoft\windows\start menu\desktop.ini | 0.44 KB |
MD5:
364c30ef6340b6d56332ec20bbe4844a
SHA1: f6ff0f7b8bc133948bd5aa6b72f2568a0fecdb53 SHA256: 38308000a0277e33207112fa6f6ff6fd818c4913320f70445ace59c339da9b8d SSDeep: 12:kgYkCw5cZbPPWk2Yj+w7a7b3bP2B3O/HPZ9:kRtlY7fP24R9 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Task Manager.lnk.RYK | 1.38 KB |
MD5:
28b0f6e23d60939b47109bc9e7aa46b0
SHA1: 2ee1d72b0a47d6a16770a20f2c30a0378a1facc7 SHA256: 93c14fe789473a8d445a3999cf59440e2662ea883388922c89173e9e2de3fe31 SSDeep: 24:572zM5zAgXp3IQeyxlkMOp9F9X39pNhnDt2nOfG+6BBeYq6Z8OzSknMCw:5yA5znXlIYkMW9FhtpNzDfGnnHpqOz9Q |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Default Programs.lnk.RYK | 1.50 KB |
MD5:
3473528fd1fad87753436fe5fbfb5204
SHA1: 92e9670f52b6ee4708be28c73c65e50727727a7f SHA256: f9aa2fcc3216f862dd416eb61e232d7ab2323c9f9af5ca682c1551f82c9dc834 SSDeep: 24:P0au5Qdj256Iz0bI+6asjo4/lS5zEBdCKyIlQeFVT2GoZqkNRK7uWTiESrm:P0anj25Vw0+6aA/kEB5NFVTDQVWz |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint.lnk.RYK | 2.67 KB |
MD5:
6c02d874ee7e2c1c82c283b62ae921b7
SHA1: 51aa72baccffaffb504c54760972912646475d08 SHA256: 55ce0399eb0312536948d194e18811e9780bd597b9229238967e81dbaa75ee0e SSDeep: 48:468N7BrHbnUfr4ey9568XL4CT7DG0Zz6Jr8+B6AYrR7GAP0MArSfg+uJbW:tw8r4eO88b4QGT8+B6NAZM2t8 |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Visio.lnk.RYK | 2.38 KB |
MD5:
1a7b99f7737e4eac1ea2575907760f1b
SHA1: 275e110d65b62f98e22daf3a9d6b0754030bd6b2 SHA256: 77afe45d9aad1fcf0dc1f1ec3b4d612a2308f3b242af4848d973f9c4b64e59e7 SSDeep: 48:BtGnQLvAijkjFznmXplByB1sRd5cgkfqLhEgNCpOsiU3/947V4NUo:BtGnQLYWIBmXrQsRfkZFMszV4hwUo |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\XPS Viewer.lnk.RYK | 1.38 KB |
MD5:
041b1af554d37feba91cd96999254c1e
SHA1: 7941712d840bcce5a48e2a78e5b21c9f6f4d83e4 SHA256: 1732758e455ec764f9acf937a059c4025bbfbcdf1cf4bc45f3c96355c5bea1f6 SSDeep: 24:pDOfnt8l4L7HgcAwTy8ow7h61BuymmuVJkMcagRRqh1jxUVBX/m9UuMJr:pyVlL7HxAwTfNaIbPJo701jiVBumuMV |
|
|
| C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.013.etl.RYK | 16.28 KB |
MD5:
002c877d7a885646c29c5fe511bd2afa
SHA1: 602081fd56e01318bd73d85efbd3c109e60d83a4 SHA256: 437510eb5e735465d5fbb67059ed085b024f916dc3a607d8609f53922d776cd2 SSDeep: 384:4I76vCipxo7y5RZURlDdkyzc1KHCi44ysbzsxlQM4wlMHl3azP:4IWaipxIoZURdjzc1WAwbzaaHd8P |
|
|
Host Behavior
File (7806)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\BCD.LOG2 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\BCD.LOG1 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\bg-BG\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
39 | |
| Create | C:\Boot\cs-CZ\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\da-DK\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\de-DE\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\el-GR\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\en-GB\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\en-US\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\es-ES\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\es-MX\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\et-EE\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\fi-FI\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\BCD | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\BCD.LOG | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\BOOTSTAT.DAT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\fr-CA\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\fr-FR\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\wgl4_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\chs_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\hr-HR\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\hu-HU\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\cht_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\segoe_slboot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\it-IT\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\segmono_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\msyh_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\jpn_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\ja-JP\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\ko-KR\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\kor_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\segoen_slboot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\malgunn_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\msyhn_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\lt-LT\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\msjh_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\msjhn_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\meiryo_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\meiryon_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Fonts\malgun_boot.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\lv-LV\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\nb-NO\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\nl-NL\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\pl-PL\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\pt-BR\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\pt-PT\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\qps-ploc\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Resources\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Resources\en-US\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\Resources\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\ro-RO\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\ru-RU\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\sk-SK\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\sl-SI\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\sr-Latn-CS\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\sr-Latn-RS\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\sv-SE\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\tr-TR\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\uk-UA\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\zh-CN\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\zh-HK\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\zh-TW\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Boot\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Config.Msi\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\BOOTSECT.BAK | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\BOOTNXT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\bootmgr | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
15 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
7 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_15.023.20070\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.009.20058\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\Acrobat Reader DC.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
27 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DataMart\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DeviceSync\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\Server\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MapData\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WDF\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Live\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WinMSIPC\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WwanSvc\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
5 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\.oracle_jre_usage\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\installcache_x64\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Active.GRL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Pending.GRL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\javapath\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\javapath_target_5923062\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
19 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{3c3aafc8-d898-43ec-998f-965ffdae065a}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{e52a6842-b0ac-476e-b48f-378a97a67346}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\SoftwareDistribution\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\UpdateStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.001.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.002.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.003.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.004.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.005.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.006.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.007.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.008.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.009.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.010.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.011.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.012.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.013.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.014.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.015.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.016.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.017.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.018.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.019.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.020.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.021.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateUx.001.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
11 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\Acrobat Reader DC.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\8C296B8E-6699-457C-9415-3D0647E1D775\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\9D76938C-943D-439F-A135-26D02821EE05\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\Catalog\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\Integration\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\ProductReleases\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\UserData\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
5 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.0.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.1.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.2.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Reader_17.012.20098\AcroRdrDCUpd1800920044_incr.msp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\MachineKeys\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\Keys\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\PCPKSP\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\PCPKSP\WindowsAIK\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_427a1946-e0ff-4097-8c9e-ca2c1e22780b | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\S-1-5-18\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\SystemKeys\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DataMart\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DataMart\PaidWiFi\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DataMart\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\S-1-5-18\4eccd106f69e31c1b12304e5463bb71d_427a1946-e0ff-4097-8c9e-ca2c1e22780b | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\SystemKeys\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DeviceSync\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\AsimovUploader\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedScenarios\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\AutoLogger\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\LocalTraceStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events00.rbs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events01.rbs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events10.rbs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events11.rbs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\parse.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Sideload\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Siufloc\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\SoftLanding\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\SoftLandingStage\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\Server\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\Views\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\Views\ApplicationViewsRootNode\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\INT\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\temp\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MapData\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
16 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\BreadcrumbStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Active.GRL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Pending.GRL | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Connections\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\qmgr0.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\qmgr1.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\ClickToRunPackageLocker | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
14 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\countrytable.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\Administrator.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\CIiHmnxMn6Ps.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-192.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-32.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-40.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-48.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WDF\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
18 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
5 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\GenuineTicket\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Import\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Install\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataCache\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceSoftwareUpdates\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DRM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DRM\Cache\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DRM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\GameExplorer\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\LfSvc\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\LfSvc\Geofence\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Parental Controls\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Power Efficiency Diagnostics\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\SleepStudy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\Manifest\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\Sessions\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\Upload\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Templates\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\ReportArchive\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\ReportQueue\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\Temp\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
9 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Clean Store\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Features\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\LocalCopy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Network Inspection System\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Quarantine\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
6 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\CleanFileTelemetry\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\CleanStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MetaStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\RtSigs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Support\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.67 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.7E | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.80 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.87 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.A0 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.CB | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.CC | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.VE0 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.VE1 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-A14CDE2848BB5D8B88DFAFE00552ABFC83C353CE.bin.VF | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\MpDiag.bin | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Live\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Live\WLive48x48.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
7 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\Inbox\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\Queue\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\SentItems\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WinMSIPC\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WinMSIPC\Server\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WinMSIPC\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WwanSvc\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WwanSvc\DMProfiles\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WwanSvc\Profiles\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WwanSvc\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\setup\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\setup\refcount.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\.oracle_jre_usage\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\installcache_x64\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\javapath\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\javapath_target_5923062\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
18 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{3c3aafc8-d898-43ec-998f-965ffdae065a}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\.oracle_jre_usage\17dfc292991c7c24.timestamp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\installcache_x64\baseimagefam8 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675}v14.0.23026\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845}v14.0.23026\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{e52a6842-b0ac-476e-b48f-378a97a67346}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\SoftwareDistribution\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Math Input Panel.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Paint.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Snipping Tool.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Steps Recorder.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Sticky Notes.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Fax and Scan.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Media Player.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Wordpad.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\XPS Viewer.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Acrobat Reader DC.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Immersive Control Panel.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\About Java.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Check For Updates.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Configure Java.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Visit Java.com.url | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneDrive for Business.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint 2016.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher 2016.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business 2016.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Search.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access 2016.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Project 2016.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PrintDialog.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Tablet PC\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Project.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Default Programs.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Task Manager.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Visio.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word 2016.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneNote 2016.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook 2016.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Visio 2016.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\MiracastView.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Desktop.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\UpdateStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.001.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.002.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.003.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.004.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.005.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.006.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.007.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.008.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.009.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.010.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.011.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.012.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.013.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.014.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.015.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.016.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.017.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.018.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.019.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.020.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.021.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateUx.001.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Devices Flow.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel 2016.lnk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\Acrobat Reader DC.lnk.RYK | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini.RYK | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini.RYK | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini.RYK | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini.RYK | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
21 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\8C296B8E-6699-457C-9415-3D0647E1D775\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\9D76938C-943D-439F-A135-26D02821EE05\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\Catalog\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\Catalog\Packages\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\Integration\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\Integration\ShortcutBackups\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\MachineData\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\ProductReleases\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.0.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.1.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.2.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\ProductReleases\46750A92-D768-415D-ABAC-A9B18903B159\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\ProductReleases\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\UserData\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
5 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\MachineKeys\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\Keys\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\PCPKSP\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\PCPKSP\WindowsAIK\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\PCPKSP\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_427a1946-e0ff-4097-8c9e-ca2c1e22780b | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\S-1-5-18\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\SystemKeys\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\S-1-5-18\4eccd106f69e31c1b12304e5463bb71d_427a1946-e0ff-4097-8c9e-ca2c1e22780b | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\SystemKeys\6d00fa390c15cc4634c8ca8153b76f29_911499c7-ef29-47ed-a64c-6b1751f20848 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DataMart\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DataMart\PaidWiFi\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DataMart\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DeviceSync\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\AsimovUploader\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedScenarios\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedScenarios\Windows.Uif.static | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\cfc.flights.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.bk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\utc.app.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\AutoLogger\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\LocalTraceStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Sideload\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events00.rbs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events01.rbs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events10.rbs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\events11.rbs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\parse.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Siufloc\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\SoftLanding\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\SoftLandingStage\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\Server\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\Views\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\Views\ApplicationViewsRootNode\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\Views\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Event Viewer\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\INT\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\temp\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MapData\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\BreadcrumbStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Active.GRL.RYK | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Pending.GRL.RYK | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Connections\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\qmgr1.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\qmgr0.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\ClickToRunPackageLocker | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
10 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\countrytable.xml | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\Administrator.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\CIiHmnxMn6Ps.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WDF\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
18 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
78 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_10.0.0.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_2015.624.2254.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.AAD.BrokerPlugin_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.AccountsControl_10.0.10240.16384_neutral__cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingFinance_10004.3.193.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingFinance_4.3.193.0_x86__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingNews_10004.3.193.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingNews_4.3.193.0_x86__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingSports_10004.3.193.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingSports_4.3.193.0_x86__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_10004.3.193.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.3.193.0_x86__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BioEnrollment_10.0.10240.16384_neutral__cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_2.1.9.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_2015.622.1108.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.LockApp_10.0.10240.16384_neutral__cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftEdge_20.10240.16384.0_neutral__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.4218.23751.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_2015.4218.23751.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.1.6103.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.4201.10091.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_2015.4201.10091.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_1.10159.0.0_neutral_split.scale-150_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_1.10159.0.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_2015.627.626.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.VCLibs.140.00_14.0.22810.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.VCLibs.140.00_14.0.22810.0_x86__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.AssignedAccessLockApp_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.CloudExperienceHost_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ContentDeliveryManager_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Cortana_1.4.8.152_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ParentalControls_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_15.618.18170.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_2015.618.1921.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1506.19010.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_2015.619.10.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1506.19010.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_2015.619.10.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2015.612.1501.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_5.38.3003.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_2015.6002.42251.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedback_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_2015.619.213.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_4.1505.50619.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsPhone_10.1506.20010.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsPhone_2015.620.10.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1506.15100.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_2015.615.1606.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_2015.7.1.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_2015.701.14.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_2015.617.130.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_5.6.17000.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_2019.6.10841.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_3.6.10841.0_neutral_resources.scale-140_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_3.6.10841.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_2019.6.10811.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_3.6.10811.0_neutral_resources.scale-140_8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_3.6.10811.0_x64__8wekyb3d8bbwe\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\windows.devicesflow_6.2.0.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppRepository\Packages\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-192.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
4 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-48.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-32.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-40.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\Apps\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\GenuineTicket\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Import\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Install\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Install\Apps\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Install\Migration\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Install\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataCache\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataCache\dmrccache\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
2 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataCache\dmrccache\downloads\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataCache\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataStore\en-US\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceMetadataStore\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DeviceSoftwareUpdates\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DRM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DRM\Cache\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\DRM\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\GameExplorer\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\LfSvc\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\LfSvc\Geofence\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\LfSvc\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Parental Controls\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Parental Controls\settings\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Parental Controls\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Power Efficiency Diagnostics\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\SleepStudy\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\Manifest\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\Sessions\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\Upload\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Sqm\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
9 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessibility\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Administrative Tools\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Java\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Maintenance\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\StartUp\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\System Tools\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Tablet PC\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Templates\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
3 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\ReportArchive\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\ReportQueue\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\Temp\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\RyukReadMe.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | size = 176 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini | size = 288 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini | size = 384 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini | size = 384 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini | size = 176 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini | size = 1314 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini | size = 1024 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini | size = 864 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini | size = 384 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini | size = 192 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini | size = 1488 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini | size = 2608 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini | size = 176 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini | size = 176 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini | size = 464 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini | size = 96 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini | size = 6 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini | size = 268 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini | size = 1314 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini.RYK | size = 1314 |
|
1 | |
| Write | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\MasterDatastore.xml | size = 272 |
|
1 | |
|
For performance reasons, the remaining 4004 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Process (121)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | net | show_window = SW_HIDE |
|
1 | |
| Create | net | show_window = SW_HIDE |
|
1 | |
| Create | net | show_window = SW_HIDE |
|
38 | |
| Create | net | show_window = SW_HIDE |
|
1 | |
| Open | System | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\smss.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\wininit.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\winlogon.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\services.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\lsass.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows multimedia platform\commandsxerox.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows multimedia platform\entities.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\microsoft office 15\oxide-shift-serial.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows media player\eggs-listen.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\microsoft office 15\pmc.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows journal\resulting_node_selections.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\internet explorer\authorized_binding.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\reference assemblies\mathematics-numeric.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows multimedia platform\fascinatingcowboy.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows sidebar\scsi.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows photo viewer\contests.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\uninstall information\hampton-affected-alcohol.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows portable devices\leading arcade.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\msbuild\weak.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\microsoft.net\helpful-personally.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\internet explorer\domainsbreathreveal.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\mozilla firefox\slightly.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\internet explorer\ward flag.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows portable devices\freight_beast_turbo.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\microsoft office\ages.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\audiodg.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows multimedia platform\commandsxerox.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\windows multimedia platform\entities.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\microsoft office 15\oxide-shift-serial.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows media player\eggs-listen.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\microsoft office 15\pmc.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows journal\resulting_node_selections.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\internet explorer\authorized_binding.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\reference assemblies\mathematics-numeric.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows multimedia platform\fascinatingcowboy.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows sidebar\scsi.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows photo viewer\contests.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\uninstall information\hampton-affected-alcohol.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows portable devices\leading arcade.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\msbuild\weak.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\microsoft.net\helpful-personally.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\internet explorer\domainsbreathreveal.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files (x86)\mozilla firefox\slightly.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\internet explorer\ward flag.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\windows portable devices\freight_beast_turbo.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\program files\microsoft office\ages.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 | |
| Open | c:\windows\system32\backgroundtaskhost.exe | desired_access = PROCESS_ALL_ACCESS |
|
1 |
Thread (7)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | c:\windows\system32\sihost.exe | proc_address = 0x7ff7503c2870, proc_parameter = 140700179759104, flags = THREAD_RUNS_IMMEDIATELY |
|
1 | |
| Create | c:\windows\system32\taskhostw.exe | proc_address = 0x7ff7503c2870, proc_parameter = 140700179759104, flags = THREAD_RUNS_IMMEDIATELY |
|
1 | |
| Create | c:\windows\system32\runtimebroker.exe | proc_address = 0x7ff7503c2870, proc_parameter = 140700179759104, flags = THREAD_RUNS_IMMEDIATELY |
|
1 | |
| Create | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | proc_address = 0x7ff7503c2870, proc_parameter = 140700179759104, flags = THREAD_RUNS_IMMEDIATELY |
|
1 | |
| Create | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | proc_address = 0x7ff7503c2870, proc_parameter = 140700179759104, flags = THREAD_RUNS_IMMEDIATELY |
|
1 | |
| Create | c:\windows\system32\backgroundtaskhost.exe | proc_address = 0x7ff7503c2870, proc_parameter = 140700179759104, flags = THREAD_RUNS_IMMEDIATELY |
|
1 | |
| Create | c:\windows\system32\backgroundtaskhost.exe | proc_address = 0x7ff7503c2870, proc_parameter = 140700179759104, flags = THREAD_RUNS_IMMEDIATELY |
|
1 |
Memory (35)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | c:\windows\system32\sihost.exe | address = 0x7ff7503c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\windows\system32\taskhostw.exe | address = 0x7ff7503c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\windows\system32\runtimebroker.exe | address = 0x7ff7503c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | address = 0x7ff7503c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | address = 0x7ff7503c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\windows\system32\backgroundtaskhost.exe | address = 0x7ff7503c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\program files (x86)\windows multimedia platform\commandsxerox.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\program files (x86)\windows multimedia platform\entities.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\program files\microsoft office 15\oxide-shift-serial.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\program files\windows media player\eggs-listen.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\program files\microsoft office 15\pmc.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\program files\windows journal\resulting_node_selections.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\program files\internet explorer\authorized_binding.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\program files (x86)\reference assemblies\mathematics-numeric.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\program files\windows multimedia platform\fascinatingcowboy.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\windows\system32\taskhostw.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\program files\windows sidebar\scsi.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\program files\windows photo viewer\contests.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\program files\uninstall information\hampton-affected-alcohol.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\program files\windows portable devices\leading arcade.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\program files\msbuild\weak.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\program files (x86)\microsoft.net\helpful-personally.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\program files (x86)\internet explorer\domainsbreathreveal.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\program files (x86)\mozilla firefox\slightly.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\program files\internet explorer\ward flag.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\program files\windows portable devices\freight_beast_turbo.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\program files\microsoft office\ages.exe | address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Allocate | c:\windows\system32\backgroundtaskhost.exe | address = 0x7ff7503c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3764224 |
|
1 | |
| Write | c:\windows\system32\sihost.exe | address = 0x7ff7503c0000, size = 3764224 |
|
1 | |
| Write | c:\windows\system32\taskhostw.exe | address = 0x7ff7503c0000, size = 3764224 |
|
1 | |
| Write | c:\windows\system32\runtimebroker.exe | address = 0x7ff7503c0000, size = 3764224 |
|
1 | |
| Write | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | address = 0x7ff7503c0000, size = 3764224 |
|
1 | |
| Write | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | address = 0x7ff7503c0000, size = 3764224 |
|
1 | |
| Write | c:\windows\system32\backgroundtaskhost.exe | address = 0x7ff7503c0000, size = 3764224 |
|
1 | |
| Write | c:\windows\system32\backgroundtaskhost.exe | address = 0x7ff7503c0000, size = 3764224 |
|
1 |
Module (125)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | api-ms-win-core-synch-l1-2-0 | base_address = 0x7ffc55040000 |
|
2 | |
| Load | api-ms-win-core-fibers-l1-1-1 | base_address = 0x7ffc55040000 |
|
2 | |
| Load | advapi32 | base_address = 0x7ffc57aa0000 |
|
1 | |
| Load | api-ms-win-core-localization-l1-2-1 | base_address = 0x7ffc55040000 |
|
1 | |
| Load | kernel32.dll | base_address = 0x7ffc55800000 |
|
1 | |
| Load | mpr.dll | base_address = 0x7ffc53810000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x7ffc57aa0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7ffc57750000 |
|
1 | |
| Load | Shell32.dll | base_address = 0x7ffc559d0000 |
|
1 | |
| Load | Iphlpapi.dll | base_address = 0x7ffc51c50000 |
|
1 | |
| Get Handle | c:\users\ciihmnxmn6ps\desktop\zotci.exe | base_address = 0x7ff7503c0000 |
|
28 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\zotci.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\zOTcI.exe, size = 260 |
|
2 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\zotci.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\zOTcI.exe, size = 100 |
|
1 | |
| Get Address | c:\windows\system32\kernelbase.dll | function = InitializeCriticalSectionEx, address_out = 0x7ffc55093900 |
|
2 | |
| Get Address | c:\windows\system32\kernelbase.dll | function = FlsAlloc, address_out = 0x7ffc550a4580 |
|
2 | |
| Get Address | c:\windows\system32\kernelbase.dll | function = FlsSetValue, address_out = 0x7ffc55092900 |
|
2 | |
| Get Address | c:\windows\system32\advapi32.dll | function = EventRegister, address_out = 0x7ffc57b88ff0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = EventSetInformation, address_out = 0x7ffc57b5e180 |
|
1 | |
| Get Address | c:\windows\system32\kernelbase.dll | function = FlsGetValue, address_out = 0x7ffc55088e40 |
|
1 | |
| Get Address | c:\windows\system32\kernelbase.dll | function = LCMapStringEx, address_out = 0x7ffc5505a930 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7ffc55822080 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7ffc55816060 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualFree, address_out = 0x7ffc5581bc10 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptExportKey, address_out = 0x7ffc57ab7b50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileW, address_out = 0x7ffc558257a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDriveTypeW, address_out = 0x7ffc558258f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCommandLineW, address_out = 0x7ffc55820150 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetStartupInfoW, address_out = 0x7ffc5581ed80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileW, address_out = 0x7ffc55825880 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualAlloc, address_out = 0x7ffc5581baf0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7ffc57acec40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ExitProcess, address_out = 0x7ffc5581ef50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffc558436a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x7ffc5581d5b0 |
|
1 | |
| Get Address | c:\windows\system32\iphlpapi.dll | function = GetIpNetTable, address_out = 0x7ffc51c6f0b0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x7ffc5581aa30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffc55843690 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDefaultLangID, address_out = 0x7ffc55822ba0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameW, address_out = 0x7ffc57abda40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x7ffc55825a90 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegQueryValueExA, address_out = 0x7ffc57ab7dd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7ffc55825510 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegSetValueExW, address_out = 0x7ffc57ab7850 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7ffc57ab72e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7ffc5583e430 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesW, address_out = 0x7ffc55825b00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WinExec, address_out = 0x7ffc55841e60 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDeriveKey, address_out = 0x7ffc57ad07a0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGenKey, address_out = 0x7ffc57abcab0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Sleep, address_out = 0x7ffc55818f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcess, address_out = 0x7ffc55816580 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteW, address_out = 0x7ffc55b1abc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x7ffc55825950 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GlobalAlloc, address_out = 0x7ffc5581b810 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x7ffc558257c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForMultipleObjects, address_out = 0x7ffc558256e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameA, address_out = 0x7ffc55820c70 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteA, address_out = 0x7ffc55bd7de0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x7ffc5581e6d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameW, address_out = 0x7ffc5581eca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7ffc55825760 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSizeEx, address_out = 0x7ffc55825960 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x7ffc55825b80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalDrives, address_out = 0x7ffc558166d0 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetEnumResourceW, address_out = 0x7ffc538127d0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7ffc57ab6cb0 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetCloseEnum, address_out = 0x7ffc53812e20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x7ffc55822940 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x7ffc55825af0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExA, address_out = 0x7ffc57ab7d70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7ffc55825b20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount, address_out = 0x7ffc558160a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesW, address_out = 0x7ffc55825930 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileW, address_out = 0x7ffc55825840 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextW, address_out = 0x7ffc57ab89e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MoveFileExW, address_out = 0x7ffc55823010 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetOpenEnumW, address_out = 0x7ffc53812f20 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoInitialize, address_out = 0x7ffc57763870 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDecrypt, address_out = 0x7ffc57ab9140 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptImportKey, address_out = 0x7ffc57ab7b40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointerEx, address_out = 0x7ffc55825b30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileW, address_out = 0x7ffc55825d70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibrary, address_out = 0x7ffc5581eb90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessW, address_out = 0x7ffc5581dee0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryW, address_out = 0x7ffc55825740 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThread, address_out = 0x7ffc5581bc20 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDestroyKey, address_out = 0x7ffc57ab86b0 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x7ffc57257000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileW, address_out = 0x7ffc55825770 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesA, address_out = 0x7ffc55825900 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptEncrypt, address_out = 0x7ffc57abd7e0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueW, address_out = 0x7ffc57ab90b0 |
|
1 |
Service (117)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Enumerate | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
User (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Lookup Privilege | privilege = SeBackupPrivilege, luid = 17 |
|
1 |
System (113)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
2 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
28 | |
| Sleep | duration = 150 milliseconds (0.150 seconds) |
|
40 | |
| Sleep | duration = 50000 milliseconds (50.000 seconds) |
|
38 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
2 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #2: sihost.exe
86
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\sihost.exe |
| Command Line | sihost.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:04, Reason: Injection |
| Unmonitor | End Time: 00:01:18, Reason: Crashed |
| Monitor Duration | 00:00:14 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x704 |
| Parent PID | 0x324 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
1A4
0x
968
0x
950
0x
490
0x
46C
0x
7CC
0x
7C8
0x
7BC
0x
7B0
0x
7AC
0x
774
0x
770
0x
76C
0x
708
0x
F30
0x
F90
0x
C38
0x
C34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000001e5f0d0000 | 0x1e5f0d0000 | 0x1e5f0dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000001e5f0e0000 | 0x1e5f0e0000 | 0x1e5f0e6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001e5f0f0000 | 0x1e5f0f0000 | 0x1e5f103fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001e5f110000 | 0x1e5f110000 | 0x1e5f18ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001e5f190000 | 0x1e5f190000 | 0x1e5f193fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001e5f1a0000 | 0x1e5f1a0000 | 0x1e5f1a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x1e5f1b0000 | 0x1e5f26dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001e5f270000 | 0x1e5f270000 | 0x1e5f2effff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e5f2f0000 | 0x1e5f2f0000 | 0x1e5f2f6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e5f300000 | 0x1e5f300000 | 0x1e5f300fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e5f310000 | 0x1e5f310000 | 0x1e5f310fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001e5f320000 | 0x1e5f320000 | 0x1e5f320fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001e5f330000 | 0x1e5f330000 | 0x1e5f330fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001e5f340000 | 0x1e5f340000 | 0x1e5f43ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e5f440000 | 0x1e5f440000 | 0x1e5f53ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e5f540000 | 0x1e5f540000 | 0x1e5f54ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001e5f550000 | 0x1e5f550000 | 0x1e5f6d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001e5f6e0000 | 0x1e5f6e0000 | 0x1e5f860fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001e5f870000 | 0x1e5f870000 | 0x1e60c6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x1e60c70000 | 0x1e60fa6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001e60fb0000 | 0x1e60fb0000 | 0x1e6102ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61030000 | 0x1e61030000 | 0x1e610affff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e610b0000 | 0x1e610b0000 | 0x1e6112ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61130000 | 0x1e61130000 | 0x1e611affff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e611b0000 | 0x1e611b0000 | 0x1e6122ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61230000 | 0x1e61230000 | 0x1e612affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001e612b0000 | 0x1e612b0000 | 0x1e612d9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000001e612f0000 | 0x1e612f0000 | 0x1e612fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61300000 | 0x1e61300000 | 0x1e613fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61400000 | 0x1e61400000 | 0x1e61bfffff | Private Memory | - |
|
|
|
- |
| private_0x0000001e61c00000 | 0x1e61c00000 | 0x1e61c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61c80000 | 0x1e61c80000 | 0x1e61cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61d00000 | 0x1e61d00000 | 0x1e61d7ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x1e61d80000 | 0x1e61e5efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001e61e60000 | 0x1e61e60000 | 0x1e61edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61ee0000 | 0x1e61ee0000 | 0x1e61f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61f60000 | 0x1e61f60000 | 0x1e61fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e61fe0000 | 0x1e61fe0000 | 0x1e6205ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e62060000 | 0x1e62060000 | 0x1e620dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001e620e0000 | 0x1e620e0000 | 0x1e621dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff450000 | 0x7df5ff450000 | 0x7ff5ff44ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7050ac000 | 0x7ff7050ac000 | 0x7ff7050adfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050ae000 | 0x7ff7050ae000 | 0x7ff7050affff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050b0000 | 0x7ff7050b0000 | 0x7ff7050b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050b2000 | 0x7ff7050b2000 | 0x7ff7050b3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050b4000 | 0x7ff7050b4000 | 0x7ff7050b5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050b6000 | 0x7ff7050b6000 | 0x7ff7050b7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050b8000 | 0x7ff7050b8000 | 0x7ff7050b9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050ba000 | 0x7ff7050ba000 | 0x7ff7050bbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050bc000 | 0x7ff7050bc000 | 0x7ff7050bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7050be000 | 0x7ff7050be000 | 0x7ff7050bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7050c0000 | 0x7ff7050c0000 | 0x7ff7051bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7051c0000 | 0x7ff7051c0000 | 0x7ff7051e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7051e3000 | 0x7ff7051e3000 | 0x7ff7051e4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7051e5000 | 0x7ff7051e5000 | 0x7ff7051e5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7051e6000 | 0x7ff7051e6000 | 0x7ff7051e7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7051e8000 | 0x7ff7051e8000 | 0x7ff7051e9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7051ea000 | 0x7ff7051ea000 | 0x7ff7051ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7051ec000 | 0x7ff7051ec000 | 0x7ff7051edfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7051ee000 | 0x7ff7051ee000 | 0x7ff7051effff | Private Memory | rw |
|
|
|
- |
| sihost.exe | 0x7ff705a50000 | 0x7ff705a65fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff7503c0000 | 0x7ff7503c0000 | 0x7ff750756fff | Private Memory | rwx |
|
|
|
- |
| staterepository.core.dll | 0x7ffc46310000 | 0x7ffc463a8fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.staterepository.dll | 0x7ffc463b0000 | 0x7ffc46641fff | Memory Mapped File | rwx |
|
|
|
- |
| licensemanagerapi.dll | 0x7ffc488a0000 | 0x7ffc488abfff | Memory Mapped File | rwx |
|
|
|
- |
| twinui.appcore.dll | 0x7ffc48970000 | 0x7ffc48b7cfff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelproxy.dll | 0x7ffc48b80000 | 0x7ffc48b94fff | Memory Mapped File | rwx |
|
|
|
- |
| sharehost.dll | 0x7ffc48c80000 | 0x7ffc48d24fff | Memory Mapped File | rwx |
|
|
|
- |
| appcontracts.dll | 0x7ffc48d30000 | 0x7ffc48ddbfff | Memory Mapped File | rwx |
|
|
|
- |
| wpportinglibrary.dll | 0x7ffc48de0000 | 0x7ffc48de8fff | Memory Mapped File | rwx |
|
|
|
- |
| modernexecserver.dll | 0x7ffc48df0000 | 0x7ffc48ec7fff | Memory Mapped File | rwx |
|
|
|
- |
| dsclient.dll | 0x7ffc48ed0000 | 0x7ffc48edbfff | Memory Mapped File | rwx |
|
|
|
- |
| userdatatypehelperutil.dll | 0x7ffc48ee0000 | 0x7ffc48ef0fff | Memory Mapped File | rwx |
|
|
|
- |
| appointmentactivation.dll | 0x7ffc48f00000 | 0x7ffc48f21fff | Memory Mapped File | rwx |
|
|
|
- |
| activationmanager.dll | 0x7ffc48f30000 | 0x7ffc48f8dfff | Memory Mapped File | rwx |
|
|
|
- |
| edputil.dll | 0x7ffc48f90000 | 0x7ffc48fbefff | Memory Mapped File | rwx |
|
|
|
- |
| clipboardserver.dll | 0x7ffc48fc0000 | 0x7ffc48feffff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffc48ff0000 | 0x7ffc49459fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.shell.servicehostbuilder.dll | 0x7ffc49460000 | 0x7ffc49471fff | Memory Mapped File | rwx |
|
|
|
- |
| desktopshellext.dll | 0x7ffc49480000 | 0x7ffc49496fff | Memory Mapped File | rwx |
|
|
|
- |
| coreuicomponents.dll | 0x7ffc49bb0000 | 0x7ffc49e10fff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandbrokerclient.dll | 0x7ffc4b000000 | 0x7ffc4b010fff | Memory Mapped File | rwx |
|
|
|
- |
| notificationplatformcomponent.dll | 0x7ffc4b020000 | 0x7ffc4b02cfff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ffc4b030000 | 0x7ffc4b072fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ffc4ddd0000 | 0x7ffc4e145fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp110_win.dll | 0x7ffc4f8f0000 | 0x7ffc4f981fff | Memory Mapped File | rwx |
|
|
|
- |
| policymanager.dll | 0x7ffc4f990000 | 0x7ffc4f9c8fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ffc50c00000 | 0x7ffc50d30fff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrproxy.dll | 0x7ffc50d40000 | 0x7ffc50d7dfff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ffc51340000 | 0x7ffc513b1fff | Memory Mapped File | rwx |
|
|
|
- |
| usermgrcli.dll | 0x7ffc51410000 | 0x7ffc5141ffff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ffc525f0000 | 0x7ffc52611fff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ffc52730000 | 0x7ffc527f7fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ffc52f40000 | 0x7ffc5302dfff | Memory Mapped File | rwx |
|
|
|
- |
| rmclient.dll | 0x7ffc531b0000 | 0x7ffc531d7fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc53810000 | 0x7ffc5382bfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffc53920000 | 0x7ffc53951fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\zotci.exe | 0xf0c | address = 0x7ff7503c0000, size = 3764224 |
|
1 | |
| Create Remote Thread | #1: c:\users\ciihmnxmn6ps\desktop\zotci.exe | 0xf0c | address = 0x7ff7503c2870 |
|
1 |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\users\Public\sys | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
Host Behavior
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\users\Public\sys | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN |
|
1 | |
| Create | C:\users\Public\sys | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN |
|
1 |
Module (78)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffc55800000 |
|
1 | |
| Load | mpr.dll | base_address = 0x7ffc53810000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x7ffc57aa0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7ffc57750000 |
|
1 | |
| Load | Shell32.dll | base_address = 0x7ffc559d0000 |
|
1 | |
| Load | Iphlpapi.dll | base_address = 0x7ffc51c50000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7ffc55822080 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7ffc55816060 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualFree, address_out = 0x7ffc5581bc10 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptExportKey, address_out = 0x7ffc57ab7b50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileW, address_out = 0x7ffc558257a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDriveTypeW, address_out = 0x7ffc558258f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCommandLineW, address_out = 0x7ffc55820150 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetStartupInfoW, address_out = 0x7ffc5581ed80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileW, address_out = 0x7ffc55825880 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualAlloc, address_out = 0x7ffc5581baf0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7ffc57acec40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ExitProcess, address_out = 0x7ffc5581ef50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffc558436a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x7ffc5581d5b0 |
|
1 | |
| Get Address | c:\windows\system32\iphlpapi.dll | function = GetIpNetTable, address_out = 0x7ffc51c6f0b0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x7ffc5581aa30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffc55843690 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDefaultLangID, address_out = 0x7ffc55822ba0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameW, address_out = 0x7ffc57abda40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x7ffc55825a90 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegQueryValueExA, address_out = 0x7ffc57ab7dd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7ffc55825510 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegSetValueExW, address_out = 0x7ffc57ab7850 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7ffc57ab72e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7ffc5583e430 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesW, address_out = 0x7ffc55825b00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WinExec, address_out = 0x7ffc55841e60 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDeriveKey, address_out = 0x7ffc57ad07a0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGenKey, address_out = 0x7ffc57abcab0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Sleep, address_out = 0x7ffc55818f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcess, address_out = 0x7ffc55816580 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteW, address_out = 0x7ffc55b1abc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x7ffc55825950 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GlobalAlloc, address_out = 0x7ffc5581b810 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x7ffc558257c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForMultipleObjects, address_out = 0x7ffc558256e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameA, address_out = 0x7ffc55820c70 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteA, address_out = 0x7ffc55bd7de0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x7ffc5581e6d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameW, address_out = 0x7ffc5581eca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7ffc55825760 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSizeEx, address_out = 0x7ffc55825960 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x7ffc55825b80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalDrives, address_out = 0x7ffc558166d0 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetEnumResourceW, address_out = 0x7ffc538127d0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7ffc57ab6cb0 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetCloseEnum, address_out = 0x7ffc53812e20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x7ffc55822940 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x7ffc55825af0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExA, address_out = 0x7ffc57ab7d70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7ffc55825b20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount, address_out = 0x7ffc558160a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesW, address_out = 0x7ffc55825930 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileW, address_out = 0x7ffc55825840 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextW, address_out = 0x7ffc57ab89e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MoveFileExW, address_out = 0x7ffc55823010 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetOpenEnumW, address_out = 0x7ffc53812f20 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoInitialize, address_out = 0x7ffc57763870 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDecrypt, address_out = 0x7ffc57ab9140 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptImportKey, address_out = 0x7ffc57ab7b40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointerEx, address_out = 0x7ffc55825b30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileW, address_out = 0x7ffc55825d70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibrary, address_out = 0x7ffc5581eb90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessW, address_out = 0x7ffc5581dee0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryW, address_out = 0x7ffc55825740 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThread, address_out = 0x7ffc5581bc20 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDestroyKey, address_out = 0x7ffc57ab86b0 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x7ffc57257000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileW, address_out = 0x7ffc55825770 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesA, address_out = 0x7ffc55825900 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptEncrypt, address_out = 0x7ffc57abd7e0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueW, address_out = 0x7ffc57ab90b0 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeBackupPrivilege, luid = 17 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 |
Process #3: taskhostw.exe
88
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\taskhostw.exe |
| Command Line | taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E} |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:05, Reason: Injection |
| Unmonitor | End Time: 00:04:44, Reason: Crashed |
| Monitor Duration | 00:03:39 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x77c |
| Parent PID | 0x324 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
82C
0x
B7C
0x
AB0
0x
A2C
0x
940
0x
93C
0x
938
0x
934
0x
7B4
0x
780
0x
F74
0x
FD0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000a699760000 | 0xa699760000 | 0xa69976ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a699770000 | 0xa699770000 | 0xa699776fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a699780000 | 0xa699780000 | 0xa699793fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a6997a0000 | 0xa6997a0000 | 0xa69981ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a699820000 | 0xa699820000 | 0xa699823fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a699830000 | 0xa699830000 | 0xa699830fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a699840000 | 0xa699840000 | 0xa699841fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a699850000 | 0xa699850000 | 0xa699856fff | Private Memory | rw |
|
|
|
- |
| taskhostw.exe.mui | 0xa699860000 | 0xa699860fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a699870000 | 0xa699870000 | 0xa699870fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a699880000 | 0xa699880000 | 0xa699880fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a699890000 | 0xa699890000 | 0xa699893fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a6998a0000 | 0xa6998a0000 | 0xa6998a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a6998b0000 | 0xa6998b0000 | 0xa6999affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xa6999b0000 | 0xa699a6dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000a699a70000 | 0xa699a70000 | 0xa699a7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa699a80000 | 0xa699a8ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa699a90000 | 0xa699a9ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa699aa0000 | 0xa699aaffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa699ab0000 | 0xa699abffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa699ac0000 | 0xa699acffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa699ad0000 | 0xa699adffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa699ae0000 | 0xa699aeffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a699af0000 | 0xa699af0000 | 0xa699b6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a699b70000 | 0xa699b70000 | 0xa699c27fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a699c30000 | 0xa699c30000 | 0xa699c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a699c40000 | 0xa699c40000 | 0xa699c40fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a699c50000 | 0xa699c50000 | 0xa699c50fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a699c60000 | 0xa699c60000 | 0xa699c60fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a699c70000 | 0xa699c70000 | 0xa699c7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a699c80000 | 0xa699c80000 | 0xa699e07fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a699e10000 | 0xa699e10000 | 0xa699f90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a699fa0000 | 0xa699fa0000 | 0xa69b39ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a69b3a0000 | 0xa69b3a0000 | 0xa69b41ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69b420000 | 0xa69b420000 | 0xa69b420fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a69b430000 | 0xa69b430000 | 0xa69b43ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69b440000 | 0xa69b440000 | 0xa69b44ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69b450000 | 0xa69b450000 | 0xa69b45ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69b460000 | 0xa69b460000 | 0xa69b46ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69b470000 | 0xa69b470000 | 0xa69b47ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69b480000 | 0xa69b480000 | 0xa69b48ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a69b490000 | 0xa69b490000 | 0xa69b497fff | Private Memory | rw |
|
|
|
- |
| winmm.dll.mui | 0xa69b4a0000 | 0xa69b4a5fff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa69b4b0000 | 0xa69b4bffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa69b4c0000 | 0xa69b4cffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa69b4d0000 | 0xa69b4dffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa69b4e0000 | 0xa69b4effff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa69b4f0000 | 0xa69b4fffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa69b500000 | 0xa69b50ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa69b510000 | 0xa69b51ffff | Memory Mapped File | r |
|
|
|
- |
| sortdefault.nls | 0xa69b520000 | 0xa69b856fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a69b860000 | 0xa69b860000 | 0xa69b8dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69b8e0000 | 0xa69b8e0000 | 0xa69b95ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69b960000 | 0xa69b960000 | 0xa69ba5ffff | Private Memory | rw |
|
|
|
- |
| msctfmonitor.dll.mui | 0xa69ba60000 | 0xa69ba60fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a69ba70000 | 0xa69ba70000 | 0xa69baeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a69baf0000 | 0xa69baf0000 | 0xa69baf0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a69bb00000 | 0xa69bb00000 | 0xa69bb06fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a69bb10000 | 0xa69bb10000 | 0xa69bb1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69bb20000 | 0xa69bb20000 | 0xa69bb2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69bb30000 | 0xa69bb30000 | 0xa69bb3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69bb40000 | 0xa69bb40000 | 0xa69bb4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69bb50000 | 0xa69bb50000 | 0xa69bb5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a69bb60000 | 0xa69bb60000 | 0xa69bb6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a69bb70000 | 0xa69bb70000 | 0xa69cb6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69cb70000 | 0xa69cb70000 | 0xa69cb70fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69cb80000 | 0xa69cb80000 | 0xa69cb80fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69cb90000 | 0xa69cb90000 | 0xa69cb93fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69cba0000 | 0xa69cba0000 | 0xa69cba1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69cbb0000 | 0xa69cbb0000 | 0xa69cbb0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69cbc0000 | 0xa69cbc0000 | 0xa69cc4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a69cc50000 | 0xa69cc50000 | 0xa6a0c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a6a0c50000 | 0xa6a0c50000 | 0xa6a4c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a6a4c50000 | 0xa6a4c50000 | 0xa6a4c57fff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a4c60000 | 0xa6a4c6ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4c70000 | 0xa6a4c7ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4c80000 | 0xa6a4c8ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4c90000 | 0xa6a4c9ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4ca0000 | 0xa6a4caffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4cb0000 | 0xa6a4cbffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4cc0000 | 0xa6a4ccffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4cd0000 | 0xa6a4cdffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4ce0000 | 0xa6a4ceffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4cf0000 | 0xa6a4cfffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4d00000 | 0xa6a4d0ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4d10000 | 0xa6a4d1ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4d20000 | 0xa6a4d2ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4d30000 | 0xa6a4d3ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4d40000 | 0xa6a4d4ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4d50000 | 0xa6a4d5ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a6a4d60000 | 0xa6a4d60000 | 0xa6a4ddffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a6a4de0000 | 0xa6a4de0000 | 0xa6a4de7fff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a4df0000 | 0xa6a4dfffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4e00000 | 0xa6a4e0ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4e10000 | 0xa6a4e1ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4e20000 | 0xa6a4e2ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4e30000 | 0xa6a4e3ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4e40000 | 0xa6a4e4ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a6a4e50000 | 0xa6a4e50000 | 0xa6a4e57fff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a4e60000 | 0xa6a4e6ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4e70000 | 0xa6a4e7ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000a6a4e80000 | 0xa6a4e80000 | 0xa6a4e8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a4e90000 | 0xa6a4e9ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4ea0000 | 0xa6a4eaffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4eb0000 | 0xa6a4ebffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4ec0000 | 0xa6a4ecffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4ed0000 | 0xa6a4edffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a6a4ee0000 | 0xa6a4ee0000 | 0xa6a4f5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a6a4f60000 | 0xa6a4f60000 | 0xa6a4f6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a4f70000 | 0xa6a4f7ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4f80000 | 0xa6a4f8ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4f90000 | 0xa6a4f9ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a4fa0000 | 0xa6a4faffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a6a4fb0000 | 0xa6a4fb0000 | 0xa6a502ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a6a5030000 | 0xa6a5030000 | 0xa6a50affff | Private Memory | rw |
|
|
|
- |
| private_0x000000a6a50b0000 | 0xa6a50b0000 | 0xa6a51affff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a51b0000 | 0xa6a51bffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a51c0000 | 0xa6a51cffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a51d0000 | 0xa6a51dffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a51e0000 | 0xa6a51effff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a51f0000 | 0xa6a51fffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5200000 | 0xa6a520ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5210000 | 0xa6a521ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5220000 | 0xa6a522ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5230000 | 0xa6a523ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5240000 | 0xa6a524ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5250000 | 0xa6a525ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5260000 | 0xa6a526ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5270000 | 0xa6a527ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5280000 | 0xa6a528ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5290000 | 0xa6a529ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a52a0000 | 0xa6a52affff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a52b0000 | 0xa6a52bffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a52c0000 | 0xa6a52cffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a52d0000 | 0xa6a52dffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a52e0000 | 0xa6a52effff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a52f0000 | 0xa6a52fffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5300000 | 0xa6a530ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5310000 | 0xa6a531ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5320000 | 0xa6a532ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5330000 | 0xa6a533ffff | Memory Mapped File | r |
|
|
|
- |
| webcachev01.dat | 0xa6a5340000 | 0xa6a534ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a6a5350000 | 0xa6a5350000 | 0xa6a5357fff | Private Memory | rw |
|
|
|
- |
| webcachev01.dat | 0xa6a5370000 | 0xa6a537ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ffbd0000 | 0x7df5ffbd0000 | 0x7ff5ffbcffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7503c0000 | 0x7ff7503c0000 | 0x7ff750756fff | Private Memory | rwx |
|
|
|
- |
| private_0x00007ff7cf4d4000 | 0x7ff7cf4d4000 | 0x7ff7cf4d5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cf4d6000 | 0x7ff7cf4d6000 | 0x7ff7cf4d7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cf4d8000 | 0x7ff7cf4d8000 | 0x7ff7cf4d9fff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 59 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\zotci.exe | 0xf0c | address = 0x7ff7503c0000, size = 3764224 |
|
1 | |
| Create Remote Thread | #1: c:\users\ciihmnxmn6ps\desktop\zotci.exe | 0xf0c | address = 0x7ff7503c2870 |
|
1 |
Host Behavior
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\users\Public\sys | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN |
|
1 | |
| Create | C:\users\Public\sys | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN |
|
1 |
Module (78)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffc55800000 |
|
1 | |
| Load | mpr.dll | base_address = 0x7ffc53810000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x7ffc57aa0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7ffc57750000 |
|
1 | |
| Load | Shell32.dll | base_address = 0x7ffc559d0000 |
|
1 | |
| Load | Iphlpapi.dll | base_address = 0x7ffc51c50000 |
|
1 | |
| Get Address | Unknown module name | function = LoadLibraryA, address_out = 0x7ffc55822080 |
|
1 | |
| Get Address | Unknown module name | function = GetLastError, address_out = 0x7ffc55816060 |
|
1 | |
| Get Address | Unknown module name | function = VirtualFree, address_out = 0x7ffc5581bc10 |
|
1 | |
| Get Address | Unknown module name | function = CryptExportKey, address_out = 0x7ffc57ab7b50 |
|
1 | |
| Get Address | Unknown module name | function = DeleteFileW, address_out = 0x7ffc558257a0 |
|
1 | |
| Get Address | Unknown module name | function = GetDriveTypeW, address_out = 0x7ffc558258f0 |
|
1 | |
| Get Address | Unknown module name | function = GetCommandLineW, address_out = 0x7ffc55820150 |
|
1 | |
| Get Address | Unknown module name | function = GetStartupInfoW, address_out = 0x7ffc5581ed80 |
|
1 | |
| Get Address | Unknown module name | function = FindNextFileW, address_out = 0x7ffc55825880 |
|
1 | |
| Get Address | Unknown module name | function = VirtualAlloc, address_out = 0x7ffc5581baf0 |
|
1 | |
| Get Address | Unknown module name | function = GetUserNameA, address_out = 0x7ffc57acec40 |
|
1 | |
| Get Address | Unknown module name | function = ExitProcess, address_out = 0x7ffc5581ef50 |
|
1 | |
| Get Address | Unknown module name | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffc558436a0 |
|
1 | |
| Get Address | Unknown module name | function = CreateProcessA, address_out = 0x7ffc5581d5b0 |
|
1 | |
| Get Address | Unknown module name | function = GetIpNetTable, address_out = 0x7ffc51c6f0b0 |
|
1 | |
| Get Address | Unknown module name | function = GetVersionExW, address_out = 0x7ffc5581aa30 |
|
1 | |
| Get Address | Unknown module name | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffc55843690 |
|
1 | |
| Get Address | Unknown module name | function = GetSystemDefaultLangID, address_out = 0x7ffc55822ba0 |
|
1 | |
| Get Address | Unknown module name | function = GetUserNameW, address_out = 0x7ffc57abda40 |
|
1 | |
| Get Address | Unknown module name | function = ReadFile, address_out = 0x7ffc55825a90 |
|
1 | |
| Get Address | Unknown module name | function = RegQueryValueExA, address_out = 0x7ffc57ab7dd0 |
|
1 | |
| Get Address | Unknown module name | function = CloseHandle, address_out = 0x7ffc55825510 |
|
1 | |
| Get Address | Unknown module name | function = RegSetValueExW, address_out = 0x7ffc57ab7850 |
|
1 | |
| Get Address | Unknown module name | function = RegCloseKey, address_out = 0x7ffc57ab72e0 |
|
1 | |
| Get Address | Unknown module name | function = CopyFileA, address_out = 0x7ffc5583e430 |
|
1 | |
| Get Address | Unknown module name | function = SetFileAttributesW, address_out = 0x7ffc55825b00 |
|
1 | |
| Get Address | Unknown module name | function = WinExec, address_out = 0x7ffc55841e60 |
|
1 | |
| Get Address | Unknown module name | function = CryptDeriveKey, address_out = 0x7ffc57ad07a0 |
|
1 | |
| Get Address | Unknown module name | function = CryptGenKey, address_out = 0x7ffc57abcab0 |
|
1 | |
| Get Address | Unknown module name | function = Sleep, address_out = 0x7ffc55818f00 |
|
1 | |
| Get Address | Unknown module name | function = GetCurrentProcess, address_out = 0x7ffc55816580 |
|
1 | |
| Get Address | Unknown module name | function = ShellExecuteW, address_out = 0x7ffc55b1abc0 |
|
1 | |
| Get Address | Unknown module name | function = GetFileSize, address_out = 0x7ffc55825950 |
|
1 | |
| Get Address | Unknown module name | function = GlobalAlloc, address_out = 0x7ffc5581b810 |
|
1 | |
| Get Address | Unknown module name | function = FindClose, address_out = 0x7ffc558257c0 |
|
1 | |
| Get Address | Unknown module name | function = WaitForMultipleObjects, address_out = 0x7ffc558256e0 |
|
1 | |
| Get Address | Unknown module name | function = GetModuleFileNameA, address_out = 0x7ffc55820c70 |
|
1 | |
| Get Address | Unknown module name | function = ShellExecuteA, address_out = 0x7ffc55bd7de0 |
|
1 | |
| Get Address | Unknown module name | function = GetModuleHandleA, address_out = 0x7ffc5581e6d0 |
|
1 | |
| Get Address | Unknown module name | function = GetModuleFileNameW, address_out = 0x7ffc5581eca0 |
|
1 | |
| Get Address | Unknown module name | function = CreateFileA, address_out = 0x7ffc55825760 |
|
1 | |
| Get Address | Unknown module name | function = GetFileSizeEx, address_out = 0x7ffc55825960 |
|
1 | |
| Get Address | Unknown module name | function = WriteFile, address_out = 0x7ffc55825b80 |
|
1 | |
| Get Address | Unknown module name | function = GetLogicalDrives, address_out = 0x7ffc558166d0 |
|
1 | |
| Get Address | Unknown module name | function = WNetEnumResourceW, address_out = 0x7ffc538127d0 |
|
1 | |
| Get Address | Unknown module name | function = RegOpenKeyExW, address_out = 0x7ffc57ab6cb0 |
|
1 | |
| Get Address | Unknown module name | function = WNetCloseEnum, address_out = 0x7ffc53812e20 |
|
1 | |
| Get Address | Unknown module name | function = GetWindowsDirectoryW, address_out = 0x7ffc55822940 |
|
1 | |
| Get Address | Unknown module name | function = SetFileAttributesA, address_out = 0x7ffc55825af0 |
|
1 | |
| Get Address | Unknown module name | function = RegOpenKeyExA, address_out = 0x7ffc57ab7d70 |
|
1 | |
| Get Address | Unknown module name | function = SetFilePointer, address_out = 0x7ffc55825b20 |
|
1 | |
| Get Address | Unknown module name | function = GetTickCount, address_out = 0x7ffc558160a0 |
|
1 | |
| Get Address | Unknown module name | function = GetFileAttributesW, address_out = 0x7ffc55825930 |
|
1 | |
| Get Address | Unknown module name | function = FindFirstFileW, address_out = 0x7ffc55825840 |
|
1 | |
| Get Address | Unknown module name | function = CryptAcquireContextW, address_out = 0x7ffc57ab89e0 |
|
1 | |
| Get Address | Unknown module name | function = MoveFileExW, address_out = 0x7ffc55823010 |
|
1 | |
| Get Address | Unknown module name | function = WNetOpenEnumW, address_out = 0x7ffc53812f20 |
|
1 | |
| Get Address | Unknown module name | function = CoInitialize, address_out = 0x7ffc57763870 |
|
1 | |
| Get Address | Unknown module name | function = CryptDecrypt, address_out = 0x7ffc57ab9140 |
|
1 | |
| Get Address | Unknown module name | function = CryptImportKey, address_out = 0x7ffc57ab7b40 |
|
1 | |
| Get Address | Unknown module name | function = SetFilePointerEx, address_out = 0x7ffc55825b30 |
|
1 | |
| Get Address | Unknown module name | function = CopyFileW, address_out = 0x7ffc55825d70 |
|
1 | |
| Get Address | Unknown module name | function = FreeLibrary, address_out = 0x7ffc5581eb90 |
|
1 | |
| Get Address | Unknown module name | function = CreateProcessW, address_out = 0x7ffc5581dee0 |
|
1 | |
| Get Address | Unknown module name | function = CreateDirectoryW, address_out = 0x7ffc55825740 |
|
1 | |
| Get Address | Unknown module name | function = CreateThread, address_out = 0x7ffc5581bc20 |
|
1 | |
| Get Address | Unknown module name | function = CryptDestroyKey, address_out = 0x7ffc57ab86b0 |
|
1 | |
| Get Address | Unknown module name | function = CoCreateInstance, address_out = 0x7ffc57257000 |
|
1 | |
| Get Address | Unknown module name | function = CreateFileW, address_out = 0x7ffc55825770 |
|
1 | |
| Get Address | Unknown module name | function = GetFileAttributesA, address_out = 0x7ffc55825900 |
|
1 | |
| Get Address | Unknown module name | function = CryptEncrypt, address_out = 0x7ffc57abd7e0 |
|
1 | |
| Get Address | Unknown module name | function = RegDeleteValueW, address_out = 0x7ffc57ab90b0 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeBackupPrivilege, luid = 17 |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| Sleep | duration = 25000 milliseconds (25.000 seconds) |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
2 |
Process #4: net.exe
0
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "spooler" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:05, Reason: Child Process |
| Unmonitor | End Time: 00:01:15, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf78 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F7C
0x
B84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000028d8f50000 | 0x28d8f50000 | 0x28d8f6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000028d8f70000 | 0x28d8f70000 | 0x28d8f83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000028d8f90000 | 0x28d8f90000 | 0x28d900ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000028d9010000 | 0x28d9010000 | 0x28d9013fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000028d9020000 | 0x28d9020000 | 0x28d9020fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000028d9030000 | 0x28d9030000 | 0x28d9031fff | Private Memory | rw |
|
|
|
- |
| private_0x00000028d9040000 | 0x28d9040000 | 0x28d913ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff1d0000 | 0x7df5ff1d0000 | 0x7ff5ff1cffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7c9fa0000 | 0x7ff7c9fa0000 | 0x7ff7c9fc2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7c9fcd000 | 0x7ff7c9fcd000 | 0x7ff7c9fcefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c9fcf000 | 0x7ff7c9fcf000 | 0x7ff7c9fcffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #5: runtimebroker.exe
143
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\runtimebroker.exe |
| Command Line | C:\Windows\System32\RuntimeBroker.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:07, Reason: Injection |
| Unmonitor | End Time: 00:04:44, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:37 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7f8 |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A30
0x
A1C
0x
854
0x
83C
0x
808
0x
11C
0x
FA0
0x
FAC
0x
3E30
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000003cd1d40000 | 0x3cd1d40000 | 0x3cd1d4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000003cd1d50000 | 0x3cd1d50000 | 0x3cd1d50fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd1d60000 | 0x3cd1d60000 | 0x3cd1d73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003cd1d80000 | 0x3cd1d80000 | 0x3cd1dfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd1e00000 | 0x3cd1e00000 | 0x3cd1e03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000003cd1e10000 | 0x3cd1e10000 | 0x3cd1e11fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003cd1e20000 | 0x3cd1e20000 | 0x3cd1e21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd1e30000 | 0x3cd1e30000 | 0x3cd1e36fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x3cd1e40000 | 0x3cd1efdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003cd1f00000 | 0x3cd1f00000 | 0x3cd1ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd2000000 | 0x3cd2000000 | 0x3cd207ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd2080000 | 0x3cd2080000 | 0x3cd20fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd2100000 | 0x3cd2100000 | 0x3cd2100fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd2110000 | 0x3cd2110000 | 0x3cd2110fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003cd2120000 | 0x3cd2120000 | 0x3cd219ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd21a0000 | 0x3cd21a0000 | 0x3cd21a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000003cd21b0000 | 0x3cd21b0000 | 0x3cd21d9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd21e0000 | 0x3cd21e0000 | 0x3cd21e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003cd21f0000 | 0x3cd21f0000 | 0x3cd21f6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd2200000 | 0x3cd2200000 | 0x3cd2206fff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd2210000 | 0x3cd2210000 | 0x3cd228ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd2290000 | 0x3cd2290000 | 0x3cd2290fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd22a0000 | 0x3cd22a0000 | 0x3cd22a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000003cd2300000 | 0x3cd2300000 | 0x3cd23fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003cd2400000 | 0x3cd2400000 | 0x3cd2587fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000003cd2590000 | 0x3cd2590000 | 0x3cd2710fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000003cd2720000 | 0x3cd2720000 | 0x3cd3b1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x3cd3b20000 | 0x3cd3e56fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003cd3e60000 | 0x3cd3e60000 | 0x3cd3edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd3ee0000 | 0x3cd3ee0000 | 0x3cd3f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd3f60000 | 0x3cd3f60000 | 0x3cd3fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd3fe0000 | 0x3cd3fe0000 | 0x3cd40dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003cd4100000 | 0x3cd4100000 | 0x3cd41fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffbe0000 | 0x7df5ffbe0000 | 0x7ff5ffbdffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff609b8a000 | 0x7ff609b8a000 | 0x7ff609b8bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609b8c000 | 0x7ff609b8c000 | 0x7ff609b8dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609b8e000 | 0x7ff609b8e000 | 0x7ff609b8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff609b90000 | 0x7ff609b90000 | 0x7ff609c8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff609c90000 | 0x7ff609c90000 | 0x7ff609cb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff609cb4000 | 0x7ff609cb4000 | 0x7ff609cb5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609cb6000 | 0x7ff609cb6000 | 0x7ff609cb7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609cb8000 | 0x7ff609cb8000 | 0x7ff609cb9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609cba000 | 0x7ff609cba000 | 0x7ff609cbbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609cbc000 | 0x7ff609cbc000 | 0x7ff609cbdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff609cbe000 | 0x7ff609cbe000 | 0x7ff609cbefff | Private Memory | rw |
|
|
|
- |
| runtimebroker.exe | 0x7ff60a170000 | 0x7ff60a185fff | Memory Mapped File | rwx |
|
|
|
- |
| ntoskrnl.exe | 0x7ff6efa30000 | 0x7ff6f0281fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff7503c0000 | 0x7ff7503c0000 | 0x7ff750756fff | Private Memory | rwx |
|
|
|
- |
| windows.networking.hostname.dll | 0x7ffc42260000 | 0x7ffc42297fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.internal.shell.broker.dll | 0x7ffc44180000 | 0x7ffc44211fff | Memory Mapped File | rwx |
|
|
|
- |
| authbroker.dll | 0x7ffc44ce0000 | 0x7ffc44d05fff | Memory Mapped File | rwx |
|
|
|
- |
| msauserext.dll | 0x7ffc44d10000 | 0x7ffc44d29fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.security.authentication.onlineid.dll | 0x7ffc44de0000 | 0x7ffc44e92fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.networking.connectivity.dll | 0x7ffc469c0000 | 0x7ffc46a6bfff | Memory Mapped File | rwx |
|
|
|
- |
| wwapi.dll | 0x7ffc46cf0000 | 0x7ffc46d05fff | Memory Mapped File | rwx |
|
|
|
- |
| tokenbroker.dll | 0x7ffc486a0000 | 0x7ffc48765fff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelproxy.dll | 0x7ffc48b80000 | 0x7ffc48b94fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffc48ff0000 | 0x7ffc49459fff | Memory Mapped File | rwx |
|
|
|
- |
| execmodelclient.dll | 0x7ffc4b030000 | 0x7ffc4b072fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ffc4b090000 | 0x7ffc4b09dfff | Memory Mapped File | rwx |
|
|
|
- |
| wlanapi.dll | 0x7ffc4b170000 | 0x7ffc4b1cefff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x7ffc4b290000 | 0x7ffc4b536fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ffc4c220000 | 0x7ffc4c25efff | Memory Mapped File | rwx |
|
|
|
- |
| idstore.dll | 0x7ffc4cf00000 | 0x7ffc4cf26fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.immersive.dll | 0x7ffc4dc10000 | 0x7ffc4ddc6fff | Memory Mapped File | rwx |
|
|
|
- |
| mrmcorer.dll | 0x7ffc4f1f0000 | 0x7ffc4f2fefff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x7ffc50bd0000 | 0x7ffc50bebfff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ffc50c00000 | 0x7ffc50d30fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ffc511b0000 | 0x7ffc51332fff | Memory Mapped File | rwx |
|
|
|
- |
| mmdevapi.dll | 0x7ffc51340000 | 0x7ffc513b1fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7ffc52640000 | 0x7ffc52652fff | Memory Mapped File | rwx |
|
|
|
- |
| coremessaging.dll | 0x7ffc52730000 | 0x7ffc527f7fff | Memory Mapped File | rwx |
|
|
|
- |
| sppc.dll | 0x7ffc52bd0000 | 0x7ffc52bf4fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7ffc52c00000 | 0x7ffc52c25fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ffc52f40000 | 0x7ffc5302dfff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc53810000 | 0x7ffc5382bfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| sxs.dll | 0x7ffc54440000 | 0x7ffc544d7fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\zotci.exe | 0xf0c | address = 0x7ff7503c0000, size = 3764224 |
|
1 | |
| Create Remote Thread | #1: c:\users\ciihmnxmn6ps\desktop\zotci.exe | 0xf0c | address = 0x7ff7503c2870 |
|
1 |
Host Behavior
File (21)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\users\Public\sys | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN |
|
21 |
Module (78)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffc55800000 |
|
1 | |
| Load | mpr.dll | base_address = 0x7ffc53810000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x7ffc57aa0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7ffc57750000 |
|
1 | |
| Load | Shell32.dll | base_address = 0x7ffc559d0000 |
|
1 | |
| Load | Iphlpapi.dll | base_address = 0x7ffc51c50000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7ffc55822080 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7ffc55816060 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualFree, address_out = 0x7ffc5581bc10 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptExportKey, address_out = 0x7ffc57ab7b50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileW, address_out = 0x7ffc558257a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDriveTypeW, address_out = 0x7ffc558258f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCommandLineW, address_out = 0x7ffc55820150 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetStartupInfoW, address_out = 0x7ffc5581ed80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileW, address_out = 0x7ffc55825880 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualAlloc, address_out = 0x7ffc5581baf0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7ffc57acec40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ExitProcess, address_out = 0x7ffc5581ef50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffc558436a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x7ffc5581d5b0 |
|
1 | |
| Get Address | c:\windows\system32\iphlpapi.dll | function = GetIpNetTable, address_out = 0x7ffc51c6f0b0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x7ffc5581aa30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffc55843690 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDefaultLangID, address_out = 0x7ffc55822ba0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameW, address_out = 0x7ffc57abda40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x7ffc55825a90 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegQueryValueExA, address_out = 0x7ffc57ab7dd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7ffc55825510 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegSetValueExW, address_out = 0x7ffc57ab7850 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7ffc57ab72e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7ffc5583e430 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesW, address_out = 0x7ffc55825b00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WinExec, address_out = 0x7ffc55841e60 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDeriveKey, address_out = 0x7ffc57ad07a0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGenKey, address_out = 0x7ffc57abcab0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Sleep, address_out = 0x7ffc55818f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcess, address_out = 0x7ffc55816580 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteW, address_out = 0x7ffc55b1abc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x7ffc55825950 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GlobalAlloc, address_out = 0x7ffc5581b810 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x7ffc558257c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForMultipleObjects, address_out = 0x7ffc558256e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameA, address_out = 0x7ffc55820c70 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteA, address_out = 0x7ffc55bd7de0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x7ffc5581e6d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameW, address_out = 0x7ffc5581eca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7ffc55825760 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSizeEx, address_out = 0x7ffc55825960 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x7ffc55825b80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalDrives, address_out = 0x7ffc558166d0 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetEnumResourceW, address_out = 0x7ffc538127d0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7ffc57ab6cb0 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetCloseEnum, address_out = 0x7ffc53812e20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x7ffc55822940 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x7ffc55825af0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExA, address_out = 0x7ffc57ab7d70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7ffc55825b20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount, address_out = 0x7ffc558160a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesW, address_out = 0x7ffc55825930 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileW, address_out = 0x7ffc55825840 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextW, address_out = 0x7ffc57ab89e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MoveFileExW, address_out = 0x7ffc55823010 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetOpenEnumW, address_out = 0x7ffc53812f20 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoInitialize, address_out = 0x7ffc57763870 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDecrypt, address_out = 0x7ffc57ab9140 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptImportKey, address_out = 0x7ffc57ab7b40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointerEx, address_out = 0x7ffc55825b30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileW, address_out = 0x7ffc55825d70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibrary, address_out = 0x7ffc5581eb90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessW, address_out = 0x7ffc5581dee0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryW, address_out = 0x7ffc55825740 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThread, address_out = 0x7ffc5581bc20 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDestroyKey, address_out = 0x7ffc57ab86b0 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x7ffc57257000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileW, address_out = 0x7ffc55825770 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesA, address_out = 0x7ffc55825900 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptEncrypt, address_out = 0x7ffc57abd7e0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueW, address_out = 0x7ffc57ab90b0 |
|
1 |
System (44)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| Sleep | duration = 25000 milliseconds (25.000 seconds) |
|
21 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
21 |
Process #7: net.exe
0
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:07, Reason: Child Process |
| Unmonitor | End Time: 00:01:17, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfb0 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FB4
0x
C54
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000f2dc740000 | 0xf2dc740000 | 0xf2dc75ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f2dc740000 | 0xf2dc740000 | 0xf2dc74ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000f2dc750000 | 0xf2dc750000 | 0xf2dc756fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f2dc760000 | 0xf2dc760000 | 0xf2dc773fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f2dc780000 | 0xf2dc780000 | 0xf2dc7fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f2dc800000 | 0xf2dc800000 | 0xf2dc803fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f2dc810000 | 0xf2dc810000 | 0xf2dc810fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f2dc820000 | 0xf2dc820000 | 0xf2dc821fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f2dc830000 | 0xf2dc830000 | 0xf2dc8affff | Private Memory | rw |
|
|
|
- |
| private_0x000000f2dc8b0000 | 0xf2dc8b0000 | 0xf2dc8b6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f2dc8c0000 | 0xf2dc8c0000 | 0xf2dc9bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xf2dc9c0000 | 0xf2dca7dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f2dcc20000 | 0xf2dcc20000 | 0xf2dcc2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff410000 | 0x7df5ff410000 | 0x7ff5ff40ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7cab00000 | 0x7ff7cab00000 | 0x7ff7cabfffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7cac00000 | 0x7ff7cac00000 | 0x7ff7cac22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7cac2b000 | 0x7ff7cac2b000 | 0x7ff7cac2cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cac2d000 | 0x7ff7cac2d000 | 0x7ff7cac2efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cac2f000 | 0x7ff7cac2f000 | 0x7ff7cac2ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc466b0000 | 0x7ffc466c3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc53810000 | 0x7ffc5382bfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #9: net.exe
0
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:09, Reason: Child Process |
| Unmonitor | End Time: 00:01:13, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfec |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FF0
0x
4F8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000007774680000 | 0x7774680000 | 0x777469ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000077746a0000 | 0x77746a0000 | 0x77746b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000077746c0000 | 0x77746c0000 | 0x777473ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007774740000 | 0x7774740000 | 0x7774743fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000007774750000 | 0x7774750000 | 0x7774750fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007774760000 | 0x7774760000 | 0x7774761fff | Private Memory | rw |
|
|
|
- |
| private_0x0000007774930000 | 0x7774930000 | 0x7774a2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff2f0000 | 0x7df5ff2f0000 | 0x7ff5ff2effff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca910000 | 0x7ff7ca910000 | 0x7ff7ca932fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca93d000 | 0x7ff7ca93d000 | 0x7ff7ca93dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca93e000 | 0x7ff7ca93e000 | 0x7ff7ca93ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #10: shellexperiencehost.exe
0
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe |
| Command Line | "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca |
| Initial Working Directory | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:01:09, Reason: Injection |
| Unmonitor | End Time: 00:04:44, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:35 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x980 |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
2E0
0x
53C
0x
7A4
0x
BFC
0x
BF4
0x
BF0
0x
BEC
0x
BE8
0x
BE4
0x
BE0
0x
BDC
0x
BD8
0x
BD4
0x
BD0
0x
BCC
0x
BC8
0x
BC4
0x
BC0
0x
BBC
0x
BB8
0x
BB4
0x
BB0
0x
BA0
0x
B9C
0x
B98
0x
B94
0x
B34
0x
B1C
0x
B0C
0x
9D0
0x
9C8
0x
9C4
0x
9C0
0x
9BC
0x
9B0
0x
9AC
0x
9A8
0x
9A4
0x
9A0
0x
99C
0x
998
0x
994
0x
990
0x
984
0x
408
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000da54c90000 | 0xda54c90000 | 0xda54c9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000da54ca0000 | 0xda54ca0000 | 0xda54ca0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da54cb0000 | 0xda54cb0000 | 0xda54cc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000da54cd0000 | 0xda54cd0000 | 0xda54dcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da54dd0000 | 0xda54dd0000 | 0xda54dd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000da54de0000 | 0xda54de0000 | 0xda54de1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000da54df0000 | 0xda54df0000 | 0xda54df0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da54e00000 | 0xda54e00000 | 0xda54e29fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000da54e30000 | 0xda54e30000 | 0xda54e30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000da54e40000 | 0xda54e40000 | 0xda54e40fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000da54e50000 | 0xda54e50000 | 0xda54e50fff | Pagefile Backed Memory | rw |
|
|
|
- |
| 2504515037.pri | 0xda54e60000 | 0xda54e6bfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000da54e70000 | 0xda54e70000 | 0xda54e70fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000da54e80000 | 0xda54e80000 | 0xda54e86fff | Private Memory | rw |
|
|
|
- |
| private_0x000000da54e90000 | 0xda54e90000 | 0xda54e90fff | Private Memory | rw |
|
|
|
- |
| private_0x000000da54ea0000 | 0xda54ea0000 | 0xda54ea0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da54eb0000 | 0xda54eb0000 | 0xda54eb0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| resources.en-us.pri | 0xda54ed0000 | 0xda54edcfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000da54ee0000 | 0xda54ee0000 | 0xda54ee1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| windows.ui.xaml.dll.mui | 0xda54ef0000 | 0xda54ef9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000da54f00000 | 0xda54f00000 | 0xda54ffffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xda55000000 | 0xda550bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000da550c0000 | 0xda550c0000 | 0xda551bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da551c0000 | 0xda551c0000 | 0xda55347fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000da55350000 | 0xda55350000 | 0xda5535ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000da55360000 | 0xda55360000 | 0xda5536ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000da55370000 | 0xda55370000 | 0xda5537ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| tilecache_100_0_header.bin | 0xda55380000 | 0xda55382fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000da55390000 | 0xda55390000 | 0xda55390fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da553a0000 | 0xda553a0000 | 0xda553a3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000da553b0000 | 0xda553b0000 | 0xda553b6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da553c0000 | 0xda553c0000 | 0xda553f1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000da55400000 | 0xda55400000 | 0xda554fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da55500000 | 0xda55500000 | 0xda55680fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000da55690000 | 0xda55690000 | 0xda56a8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000da56a90000 | 0xda56a90000 | 0xda56b8ffff | Private Memory | rw |
|
|
|
- |
| windows.ui.xaml.resources.dll | 0xda56b90000 | 0xda56cc6fff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0xda56cd0000 | 0xda56daefff | Memory Mapped File | r |
|
|
|
- |
| sortdefault.nls | 0xda56db0000 | 0xda570e6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000da570f0000 | 0xda570f0000 | 0xda571effff | Private Memory | rw |
|
|
|
- |
| private_0x000000da571f0000 | 0xda571f0000 | 0xda572effff | Private Memory | rw |
|
|
|
- |
| private_0x000000da572f0000 | 0xda572f0000 | 0xda573effff | Private Memory | rw |
|
|
|
- |
| private_0x000000da573f0000 | 0xda573f0000 | 0xda574effff | Private Memory | rw |
|
|
|
- |
| private_0x000000da574f0000 | 0xda574f0000 | 0xda575effff | Private Memory | rw |
|
|
|
- |
| private_0x000000da575f0000 | 0xda575f0000 | 0xda575f0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da57600000 | 0xda57600000 | 0xda57603fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000da57610000 | 0xda57610000 | 0xda57616fff | Private Memory | rw |
|
|
|
- |
| resources.pri | 0xda57620000 | 0xda576f3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000da57700000 | 0xda57700000 | 0xda577fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da57800000 | 0xda57800000 | 0xda57ffffff | Private Memory | - |
|
|
|
- |
| private_0x000000da58000000 | 0xda58000000 | 0xda580fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58100000 | 0xda58100000 | 0xda581fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58200000 | 0xda58200000 | 0xda582fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58300000 | 0xda58300000 | 0xda583fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58400000 | 0xda58400000 | 0xda584fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58500000 | 0xda58500000 | 0xda585fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58600000 | 0xda58600000 | 0xda586fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58700000 | 0xda58700000 | 0xda587fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58800000 | 0xda58800000 | 0xda588fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58900000 | 0xda58900000 | 0xda589fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58b00000 | 0xda58b00000 | 0xda58bfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58c00000 | 0xda58c00000 | 0xda58cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da58e00000 | 0xda58e00000 | 0xda58efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da59100000 | 0xda59100000 | 0xda591fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da59200000 | 0xda59200000 | 0xda59200fff | Private Memory | rw |
|
|
|
- |
| private_0x000000da59220000 | 0xda59220000 | 0xda59220fff | Private Memory | rw |
|
|
|
- |
| private_0x000000da59230000 | 0xda59230000 | 0xda59230fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da59240000 | 0xda59240000 | 0xda59243fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000da59250000 | 0xda59250000 | 0xda59250fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da59260000 | 0xda59260000 | 0xda59263fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000da59270000 | 0xda59270000 | 0xda59276fff | Private Memory | rw |
|
|
|
- |
| ~fontcache-system.dat | 0xda59280000 | 0xda592f5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000da59300000 | 0xda59300000 | 0xda593fffff | Private Memory | rw |
|
|
|
- |
| segoeui.ttf | 0xda59400000 | 0xda594defff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000da594e0000 | 0xda594e0000 | 0xda594e6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000da594f0000 | 0xda594f0000 | 0xda594f3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000da59500000 | 0xda59500000 | 0xda595fffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-fontface.dat | 0xda59600000 | 0xda5a5fffff | Memory Mapped File | r |
|
|
|
- |
| ~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat | 0xda5a600000 | 0xda5adfffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000da5ae00000 | 0xda5ae00000 | 0xda5aefffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5af00000 | 0xda5af00000 | 0xda5affffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5b000000 | 0xda5b000000 | 0xda5b0fffff | Private Memory | rw |
|
|
|
- |
| tilecache_100_0_data.bin | 0xda5b100000 | 0xda5b1fffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x000000da5b200000 | 0xda5b200000 | 0xda5b4bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000da5b4c0000 | 0xda5b4c0000 | 0xda5b5bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5b5c0000 | 0xda5b5c0000 | 0xda5b6bffff | Private Memory | rw |
|
|
|
- |
| msxml6r.dll | 0xda5b6c0000 | 0xda5b6c0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000da5b700000 | 0xda5b700000 | 0xda5b7fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5b800000 | 0xda5b800000 | 0xda5b8fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5b900000 | 0xda5b900000 | 0xda5b97ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5ba00000 | 0xda5ba00000 | 0xda5bafffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5bb00000 | 0xda5bb00000 | 0xda5bbfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5bc00000 | 0xda5bc00000 | 0xda5bcfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5bd00000 | 0xda5bd00000 | 0xda5bdfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5be00000 | 0xda5be00000 | 0xda5befffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5bf00000 | 0xda5bf00000 | 0xda5bffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5c000000 | 0xda5c000000 | 0xda5c0fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5c100000 | 0xda5c100000 | 0xda5c1fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5c200000 | 0xda5c200000 | 0xda5c2fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5c300000 | 0xda5c300000 | 0xda5c3fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5c400000 | 0xda5c400000 | 0xda5c4fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5c500000 | 0xda5c500000 | 0xda5c5fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5c600000 | 0xda5c600000 | 0xda5c6fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5c700000 | 0xda5c700000 | 0xda5c7fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5c800000 | 0xda5c800000 | 0xda5c8fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5c900000 | 0xda5c900000 | 0xda5c9fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5ca00000 | 0xda5ca00000 | 0xda5cafffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5cb00000 | 0xda5cb00000 | 0xda5cbfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5cc00000 | 0xda5cc00000 | 0xda5ccfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5cd00000 | 0xda5cd00000 | 0xda5cdfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5cf00000 | 0xda5cf00000 | 0xda5cffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5d000000 | 0xda5d000000 | 0xda5d0fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5d1d0000 | 0xda5d1d0000 | 0xda5d1d6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5d200000 | 0xda5d200000 | 0xda5d2fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5d300000 | 0xda5d300000 | 0xda5d3fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5d400000 | 0xda5d400000 | 0xda5d4fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000da5d500000 | 0xda5d500000 | 0xda5d5fffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631eca000 | 0x7ff631eca000 | 0x7ff631ecbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ecc000 | 0x7ff631ecc000 | 0x7ff631ecdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ece000 | 0x7ff631ece000 | 0x7ff631ecffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ed2000 | 0x7ff631ed2000 | 0x7ff631ed3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ed4000 | 0x7ff631ed4000 | 0x7ff631ed5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ed6000 | 0x7ff631ed6000 | 0x7ff631ed7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ed8000 | 0x7ff631ed8000 | 0x7ff631ed9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631eda000 | 0x7ff631eda000 | 0x7ff631edbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631edc000 | 0x7ff631edc000 | 0x7ff631eddfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ede000 | 0x7ff631ede000 | 0x7ff631edffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ee0000 | 0x7ff631ee0000 | 0x7ff631ee1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ee2000 | 0x7ff631ee2000 | 0x7ff631ee3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ee4000 | 0x7ff631ee4000 | 0x7ff631ee5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ee6000 | 0x7ff631ee6000 | 0x7ff631ee7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ee8000 | 0x7ff631ee8000 | 0x7ff631ee9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631eea000 | 0x7ff631eea000 | 0x7ff631eebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631eec000 | 0x7ff631eec000 | 0x7ff631eedfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631eee000 | 0x7ff631eee000 | 0x7ff631eeffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ef0000 | 0x7ff631ef0000 | 0x7ff631ef1fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ef2000 | 0x7ff631ef2000 | 0x7ff631ef3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ef4000 | 0x7ff631ef4000 | 0x7ff631ef5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ef6000 | 0x7ff631ef6000 | 0x7ff631ef7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631ef8000 | 0x7ff631ef8000 | 0x7ff631ef9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631efa000 | 0x7ff631efa000 | 0x7ff631efbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631efc000 | 0x7ff631efc000 | 0x7ff631efdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631efe000 | 0x7ff631efe000 | 0x7ff631efffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631f04000 | 0x7ff631f04000 | 0x7ff631f05fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631f08000 | 0x7ff631f08000 | 0x7ff631f09fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631f0c000 | 0x7ff631f0c000 | 0x7ff631f0dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631f0e000 | 0x7ff631f0e000 | 0x7ff631f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631f10000 | 0x7ff631f10000 | 0x7ff631f11fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff631f12000 | 0x7ff631f12000 | 0x7ff631f13fff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 91 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create Remote Thread | #1: c:\users\ciihmnxmn6ps\desktop\zotci.exe | 0xf0c | address = 0x7ff7503c2870 |
|
1 |
Process #12: net1.exe
67
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "audioendpointbuilder" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:10, Reason: Child Process |
| Unmonitor | End Time: 00:01:17, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc58 |
| Parent PID | 0xfb0 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C44
0x
CC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000008cfd740000 | 0x8cfd740000 | 0x8cfd75ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008cfd740000 | 0x8cfd740000 | 0x8cfd74ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000008cfd750000 | 0x8cfd750000 | 0x8cfd756fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008cfd760000 | 0x8cfd760000 | 0x8cfd773fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008cfd780000 | 0x8cfd780000 | 0x8cfd7fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008cfd800000 | 0x8cfd800000 | 0x8cfd803fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008cfd810000 | 0x8cfd810000 | 0x8cfd810fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008cfd820000 | 0x8cfd820000 | 0x8cfd821fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008cfd830000 | 0x8cfd830000 | 0x8cfd8affff | Private Memory | rw |
|
|
|
- |
| private_0x0000008cfd8b0000 | 0x8cfd8b0000 | 0x8cfd8b6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x8cfd8c0000 | 0x8cfd8c2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000008cfd8d0000 | 0x8cfd8d0000 | 0x8cfd9cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x8cfd9d0000 | 0x8cfda8dfff | Memory Mapped File | r |
|
|
|
- |
| netmsg.dll.mui | 0x8cfda90000 | 0x8cfdac1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008cfdb20000 | 0x8cfdb20000 | 0x8cfdb2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff320000 | 0x7df5ff320000 | 0x7ff5ff31ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648bf0000 | 0x7ff648bf0000 | 0x7ff648ceffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648cf0000 | 0x7ff648cf0000 | 0x7ff648d12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff648d1a000 | 0x7ff648d1a000 | 0x7ff648d1bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648d1c000 | 0x7ff648d1c000 | 0x7ff648d1dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648d1e000 | 0x7ff648d1e000 | 0x7ff648d1efff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc466b0000 | 0x7ffc466c3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (32)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
15 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 169 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
7 | |
| Write | STD_OUTPUT_HANDLE | size = 16 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 53 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 54 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 70 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x8cfd8c0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (30)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = AUDIOENDPOINTBUILDER |
|
1 | |
| Control | service_name = Audiosrv |
|
1 | |
| Control | service_name = Audiosrv |
|
1 | |
| Control | service_name = Audiosrv |
|
1 | |
| Control | service_name = AUDIOENDPOINTBUILDER |
|
1 | |
| Control | service_name = AUDIOENDPOINTBUILDER |
|
1 | |
| Get Display Name | database_name = SERVICES_ACTIVE_DATABASE |
|
3 | |
| Get Display Name | database_name = SERVICES_ACTIVE_DATABASE |
|
2 | |
| Get Info | service_name = AUDIOENDPOINTBUILDER |
|
1 | |
| Get Info | service_name = AUDIOENDPOINTBUILDER |
|
1 | |
| Get Info | service_name = Audiosrv |
|
1 | |
| Get Info | service_name = AUDIOENDPOINTBUILDER |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 2500 milliseconds (2.500 seconds) |
|
2 |
Process #13: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:11, Reason: Child Process |
| Unmonitor | End Time: 00:01:13, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcc8 |
| Parent PID | 0xfec (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CEC
0x
C7C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000008c94b80000 | 0x8c94b80000 | 0x8c94b9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008c94b80000 | 0x8c94b80000 | 0x8c94b8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000008c94b90000 | 0x8c94b90000 | 0x8c94b96fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008c94ba0000 | 0x8c94ba0000 | 0x8c94bb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008c94bc0000 | 0x8c94bc0000 | 0x8c94c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008c94c40000 | 0x8c94c40000 | 0x8c94c43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008c94c50000 | 0x8c94c50000 | 0x8c94c50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008c94c60000 | 0x8c94c60000 | 0x8c94c61fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x8c94c70000 | 0x8c94d2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008c94d30000 | 0x8c94d30000 | 0x8c94d36fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x8c94d40000 | 0x8c94d42fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000008c94d80000 | 0x8c94d80000 | 0x8c94e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008c94e80000 | 0x8c94e80000 | 0x8c94efffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x8c94f00000 | 0x8c94f31fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008c94ff0000 | 0x8c94ff0000 | 0x8c94ffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff680000 | 0x7df5ff680000 | 0x7ff5ff67ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648cc0000 | 0x7ff648cc0000 | 0x7ff648dbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648dc0000 | 0x7ff648dc0000 | 0x7ff648de2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff648deb000 | 0x7ff648deb000 | 0x7ff648debfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648dec000 | 0x7ff648dec000 | 0x7ff648dedfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648dee000 | 0x7ff648dee000 | 0x7ff648deffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc466b0000 | 0x7ffc466c3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x8c94d40000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #14: net1.exe
33
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "spooler" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:11, Reason: Child Process |
| Unmonitor | End Time: 00:01:14, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcbc |
| Parent PID | 0xf78 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C88
0x
D54
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000079a8260000 | 0x79a8260000 | 0x79a827ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000079a8260000 | 0x79a8260000 | 0x79a826ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000079a8270000 | 0x79a8270000 | 0x79a8276fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000079a8280000 | 0x79a8280000 | 0x79a8293fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000079a82a0000 | 0x79a82a0000 | 0x79a831ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000079a8320000 | 0x79a8320000 | 0x79a8323fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000079a8330000 | 0x79a8330000 | 0x79a8330fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000079a8340000 | 0x79a8340000 | 0x79a8341fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x79a8350000 | 0x79a840dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000079a8410000 | 0x79a8410000 | 0x79a848ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000079a8490000 | 0x79a8490000 | 0x79a8496fff | Private Memory | rw |
|
|
|
- |
| private_0x00000079a84a0000 | 0x79a84a0000 | 0x79a859ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x79a85a0000 | 0x79a85a2fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x79a85b0000 | 0x79a85e1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000079a8790000 | 0x79a8790000 | 0x79a879ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff570000 | 0x7df5ff570000 | 0x7ff5ff56ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648910000 | 0x7ff648910000 | 0x7ff648a0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648a10000 | 0x7ff648a10000 | 0x7ff648a32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff648a3b000 | 0x7ff648a3b000 | 0x7ff648a3cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648a3d000 | 0x7ff648a3d000 | 0x7ff648a3dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648a3e000 | 0x7ff648a3e000 | 0x7ff648a3ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc466b0000 | 0x7ffc466c3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (12)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
5 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 53 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x79a85a0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SPOOLER |
|
1 | |
| Control | service_name = SPOOLER |
|
1 | |
| Control | service_name = SPOOLER |
|
1 | |
| Get Display Name | database_name = SERVICES_ACTIVE_DATABASE |
|
2 | |
| Get Info | service_name = SPOOLER |
|
1 | |
| Get Info | service_name = SPOOLER |
|
1 | |
| Get Info | service_name = SPOOLER |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 2500 milliseconds (2.500 seconds) |
|
1 |
Process #15: werfault.exe
0
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\system32\werfault.exe |
| Command Line | C:\Windows\system32\WerFault.exe -u -p 1796 -s 744 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:12, Reason: Child Process |
| Unmonitor | End Time: 00:01:17, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd40 |
| Parent PID | 0x704 (c:\windows\system32\sihost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D38
0x
CF8
0x
BF8
0x
7FC
0x
5B8
0x
728
0x
A58
0x
7C4
0x
248
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000443df80000 | 0x443df80000 | 0x443df9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000443df80000 | 0x443df80000 | 0x443df8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000443df90000 | 0x443df90000 | 0x443df96fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000443dfa0000 | 0x443dfa0000 | 0x443dfb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000443dfc0000 | 0x443dfc0000 | 0x443e03ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000443e040000 | 0x443e040000 | 0x443e043fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000443e050000 | 0x443e050000 | 0x443e052fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000443e060000 | 0x443e060000 | 0x443e061fff | Private Memory | rw |
|
|
|
- |
| private_0x000000443e070000 | 0x443e070000 | 0x443e076fff | Private Memory | rw |
|
|
|
- |
| werfault.exe.mui | 0x443e080000 | 0x443e083fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000443e090000 | 0x443e090000 | 0x443e09ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000443e0a0000 | 0x443e0a0000 | 0x443e0a0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000443e0b0000 | 0x443e0b0000 | 0x443e0b0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000443e0c0000 | 0x443e0c0000 | 0x443e1bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x443e1c0000 | 0x443e27dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000443e280000 | 0x443e280000 | 0x443e2fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000443e300000 | 0x443e300000 | 0x443e300fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000443e310000 | 0x443e310000 | 0x443e310fff | Private Memory | rw |
|
|
|
- |
| ntdll.dll.mui | 0x443e320000 | 0x443e385fff | Memory Mapped File | r |
|
|
|
- |
| faultrep.dll.mui | 0x443e390000 | 0x443e391fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000443e3a0000 | 0x443e3a0000 | 0x443e3a0fff | Private Memory | rw |
|
|
|
- |
| wer.dll.mui | 0x443e3b0000 | 0x443e3b2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000443e3c0000 | 0x443e3c0000 | 0x443e3c6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000443e3d0000 | 0x443e3d0000 | 0x443e3d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000443e3e0000 | 0x443e3e0000 | 0x443e3e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000443e3f0000 | 0x443e3f0000 | 0x443e3f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| werui.dll.mui | 0x443e3f0000 | 0x443e3f4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000443e400000 | 0x443e400000 | 0x443e401fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000443e410000 | 0x443e410000 | 0x443e410fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000443e420000 | 0x443e420000 | 0x443e421fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000443e430000 | 0x443e430000 | 0x443e433fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000443e440000 | 0x443e440000 | 0x443e446fff | Private Memory | rw |
|
|
|
- |
| duser.dll.mui | 0x443e450000 | 0x443e450fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000443e460000 | 0x443e460000 | 0x443e46ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000443e470000 | 0x443e470000 | 0x443e5f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000443e600000 | 0x443e600000 | 0x443e780fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000443e790000 | 0x443e790000 | 0x443fb8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000443fb90000 | 0x443fb90000 | 0x443fc8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000443fc90000 | 0x443fc90000 | 0x443fd0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000443fd10000 | 0x443fd10000 | 0x443fd1ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x443fd20000 | 0x4440056fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004440060000 | 0x4440060000 | 0x444015ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004440160000 | 0x4440160000 | 0x444025ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004440260000 | 0x4440260000 | 0x444045ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x4440460000 | 0x444053efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004440540000 | 0x4440540000 | 0x444063ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004440640000 | 0x4440640000 | 0x44406bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000044406c0000 | 0x44406c0000 | 0x444073ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004440740000 | 0x4440740000 | 0x44407bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000044407c0000 | 0x44407c0000 | 0x444083ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004440840000 | 0x4440840000 | 0x44408bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000044408c0000 | 0x44408c0000 | 0x4440977fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007df5ffd10000 | 0x7df5ffd10000 | 0x7ff5ffd0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff73988c000 | 0x7ff73988c000 | 0x7ff73988dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff73988e000 | 0x7ff73988e000 | 0x7ff73988ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff739890000 | 0x7ff739890000 | 0x7ff73998ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff739990000 | 0x7ff739990000 | 0x7ff7399b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7399b3000 | 0x7ff7399b3000 | 0x7ff7399b4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7399b5000 | 0x7ff7399b5000 | 0x7ff7399b6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7399b7000 | 0x7ff7399b7000 | 0x7ff7399b8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7399b9000 | 0x7ff7399b9000 | 0x7ff7399bafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7399bb000 | 0x7ff7399bb000 | 0x7ff7399bbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7399bc000 | 0x7ff7399bc000 | 0x7ff7399bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7399be000 | 0x7ff7399be000 | 0x7ff7399bffff | Private Memory | rw |
|
|
|
- |
| werfault.exe | 0x7ff739e30000 | 0x7ff739e7afff | Memory Mapped File | rwx |
|
|
|
- |
| dbgeng.dll | 0x7ffc3e7f0000 | 0x7ffc3eccbfff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ffc3f180000 | 0x7ffc3f32ffff | Memory Mapped File | rwx |
|
|
|
- |
| wer.dll | 0x7ffc3fb50000 | 0x7ffc3fbedfff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x7ffc3fe00000 | 0x7ffc3ff89fff | Memory Mapped File | rwx |
|
|
|
- |
| atlthunk.dll | 0x7ffc41be0000 | 0x7ffc41beffff | Memory Mapped File | rwx |
|
|
|
- |
| dbgmodel.dll | 0x7ffc46700000 | 0x7ffc46790fff | Memory Mapped File | rwx |
|
|
|
- |
| riched20.dll | 0x7ffc46700000 | 0x7ffc4679afff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ffc4b090000 | 0x7ffc4b09dfff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ffc4b6e0000 | 0x7ffc4b6ebfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffc4b890000 | 0x7ffc4b899fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ffc4c220000 | 0x7ffc4c25efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| werui.dll | 0x7ffc4d0e0000 | 0x7ffc4d153fff | Memory Mapped File | rwx |
|
|
|
- |
| msls31.dll | 0x7ffc4d4a0000 | 0x7ffc4d4d7fff | Memory Mapped File | rwx |
|
|
|
- |
| duser.dll | 0x7ffc4f3a0000 | 0x7ffc4f438fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| dbgcore.dll | 0x7ffc50dc0000 | 0x7ffc50de4fff | Memory Mapped File | rwx |
|
|
|
- |
| faultrep.dll | 0x7ffc50df0000 | 0x7ffc50e4dfff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7ffc513d0000 | 0x7ffc513e7fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ffc525f0000 | 0x7ffc52611fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffc53920000 | 0x7ffc53951fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #16: searchui.exe
86
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe |
| Command Line | "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca |
| Initial Working Directory | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:01:13, Reason: Injection |
| Unmonitor | End Time: 00:02:33, Reason: Crashed |
| Monitor Duration | 00:01:20 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9e4 |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
8C0
0x
B28
0x
B14
0x
B08
0x
B04
0x
B00
0x
AFC
0x
AF8
0x
AF0
0x
AC0
0x
ABC
0x
AB8
0x
AAC
0x
AA8
0x
AA4
0x
AA0
0x
A9C
0x
A98
0x
A88
0x
A28
0x
A24
0x
A20
0x
A18
0x
A14
0x
A0C
0x
A08
0x
A04
0x
A00
0x
9FC
0x
9F8
0x
9F4
0x
9F0
0x
9E8
0x
DD4
0x
1184
0x
11B8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000ae80000000 | 0xae80000000 | 0xae80180fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ae80190000 | 0xae80190000 | 0xae8158ffff | Pagefile Backed Memory | r |
|
|
|
- |
| kernelbase.dll.mui | 0xae81590000 | 0xae8166efff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ae81670000 | 0xae81670000 | 0xae8176ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xae81770000 | 0xae81aa6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ae81ab0000 | 0xae81ab0000 | 0xae81baffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae81bb0000 | 0xae81bb0000 | 0xae81caffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae81cb0000 | 0xae81cb0000 | 0xae81daffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae81db0000 | 0xae81db0000 | 0xae81eaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae81eb0000 | 0xae81eb0000 | 0xae81faffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae81fb0000 | 0xae81fb0000 | 0xae820affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ae821b0000 | 0xae821b0000 | 0xae821b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| counters.dat | 0xae821c0000 | 0xae821c0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ae821d0000 | 0xae821d0000 | 0xae821d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| resources.pri | 0xae821e0000 | 0xae82200fff | Memory Mapped File | r |
|
|
|
- |
| 2495906576.pri | 0xae82210000 | 0xae82223fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ae82230000 | 0xae82230000 | 0xae82230fff | Pagefile Backed Memory | rw |
|
|
|
- |
| app.xbf | 0xae82240000 | 0xae82240fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ae82250000 | 0xae82250000 | 0xae82250fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ae82260000 | 0xae82260000 | 0xae82260fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae82270000 | 0xae82270000 | 0xae82270fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ae82280000 | 0xae82280000 | 0xae82280fff | Pagefile Backed Memory | rw |
|
|
|
- |
| dictionary.xbf | 0xae82290000 | 0xae82293fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ae822a0000 | 0xae822a0000 | 0xae822a6fff | Private Memory | rw |
|
|
|
- |
| resources.en-us.pri | 0xae822b0000 | 0xae822c5fff | Memory Mapped File | r |
|
|
|
- |
| reactivecat1themeresources.xbf | 0xae822d0000 | 0xae822d4fff | Memory Mapped File | r |
|
|
|
- |
| speechtextinputthemeresources.xbf | 0xae822e0000 | 0xae822e1fff | Memory Mapped File | r |
|
|
|
- |
| cortanawindow.xbf | 0xae822f0000 | 0xae822f0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ae82300000 | 0xae82300000 | 0xae823fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae82400000 | 0xae82400000 | 0xae824fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae82500000 | 0xae82500000 | 0xae825fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae82600000 | 0xae82600000 | 0xae82dfffff | Private Memory | - |
|
|
|
- |
| private_0x000000ae82e00000 | 0xae82e00000 | 0xae82efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae82f00000 | 0xae82f00000 | 0xae82ffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae83000000 | 0xae83000000 | 0xae830fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae83100000 | 0xae83100000 | 0xae831fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae83200000 | 0xae83200000 | 0xae832fffff | Private Memory | rw |
|
|
|
- |
| shell32.dll.mui | 0xae83400000 | 0xae83460fff | Memory Mapped File | r |
|
|
|
- |
| chrome.xbf | 0xae83470000 | 0xae83477fff | Memory Mapped File | r |
|
|
|
- |
| msxml6r.dll | 0xae834a0000 | 0xae834a0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ae834b0000 | 0xae834b0000 | 0xae834b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| homeburgermenucontrol.xbf | 0xae834c0000 | 0xae834c0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ae834d0000 | 0xae834d0000 | 0xae834d6fff | Private Memory | rw |
|
|
|
- |
| greetingscontrol.xbf | 0xae834e0000 | 0xae834e1fff | Memory Mapped File | r |
|
|
|
- |
| hostedwebviewcontrol.xbf | 0xae834f0000 | 0xae834f0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ae83500000 | 0xae83500000 | 0xae835fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ae83600000 | 0xae83600000 | 0xae836b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ae836c0000 | 0xae836c0000 | 0xae836c6fff | Private Memory | rw |
|
|
|
- |
| speechtextinputcontrol.xbf | 0xae836d0000 | 0xae836d1fff | Memory Mapped File | r |
|
|
|
- |
| searchboxcontrol.xbf | 0xae836e0000 | 0xae836e0fff | Memory Mapped File | r |
|
|
|
- |
| windows.ui.xaml.dll.mui | 0xae836f0000 | 0xae836f9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ae83700000 | 0xae83700000 | 0xae837fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae83800000 | 0xae83800000 | 0xae838fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae83900000 | 0xae83900000 | 0xae839fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae83a00000 | 0xae83a00000 | 0xae83afffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-system.dat | 0xae83b00000 | 0xae83b75fff | Memory Mapped File | r |
|
|
|
- |
| ~fontcache-fontface.dat | 0xae83b80000 | 0xae84b7ffff | Memory Mapped File | r |
|
|
|
- |
| segoeui.ttf | 0xae84b80000 | 0xae84c5efff | Memory Mapped File | r |
|
|
|
- |
| ~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat | 0xae84c60000 | 0xae8545ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ae85660000 | 0xae85660000 | 0xae85660fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85670000 | 0xae85670000 | 0xae85670fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ae85680000 | 0xae85680000 | 0xae85683fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ae85690000 | 0xae85690000 | 0xae856affff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae856b0000 | 0xae856b0000 | 0xae856fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85700000 | 0xae85700000 | 0xae857fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85800000 | 0xae85800000 | 0xae858fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85900000 | 0xae85900000 | 0xae85900fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85910000 | 0xae85910000 | 0xae85910fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ae85920000 | 0xae85920000 | 0xae85920fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ae85930000 | 0xae85930000 | 0xae85936fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ae85940000 | 0xae85940000 | 0xae85940fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ae85950000 | 0xae85950000 | 0xae85950fff | Private Memory | rw |
|
|
|
- |
| edgehtml.dll.mui | 0xae85960000 | 0xae859bffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000ae859c0000 | 0xae859c0000 | 0xae859cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ae859d0000 | 0xae859d0000 | 0xae859dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ae859e0000 | 0xae859e0000 | 0xae859fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85a00000 | 0xae85a00000 | 0xae85afffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85b00000 | 0xae85b00000 | 0xae85bfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85c00000 | 0xae85c00000 | 0xae85cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85d00000 | 0xae85d00000 | 0xae85dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85e00000 | 0xae85e00000 | 0xae85efffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae85f00000 | 0xae85f00000 | 0xae85ffffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86000000 | 0xae86000000 | 0xae860fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86100000 | 0xae86100000 | 0xae8611ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86120000 | 0xae86120000 | 0xae8616ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86170000 | 0xae86170000 | 0xae8626ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86270000 | 0xae86270000 | 0xae8628ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86290000 | 0xae86290000 | 0xae8638ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86390000 | 0xae86390000 | 0xae863affff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae863b0000 | 0xae863b0000 | 0xae863cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae863d0000 | 0xae863d0000 | 0xae863effff | Private Memory | rw |
|
|
|
- |
| cortana.internal.search.winmd | 0xae863f0000 | 0xae86400fff | Memory Mapped File | rwx |
|
|
|
- |
| cortana.search.winmd | 0xae86410000 | 0xae86417fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000ae86420000 | 0xae86420000 | 0xae8643ffff | Private Memory | rw |
|
|
|
- |
| windows.foundation.winmd | 0xae86440000 | 0xae8644efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.security.winmd | 0xae86450000 | 0xae8646dfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000ae86470000 | 0xae86470000 | 0xae8656ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86570000 | 0xae86570000 | 0xae8658ffff | Private Memory | rw |
|
|
|
- |
| windows.storage.winmd | 0xae86590000 | 0xae865aafff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000ae865b0000 | 0xae865b0000 | 0xae865cffff | Private Memory | rw |
|
|
|
- |
| chakra.dll.mui | 0xae865d0000 | 0xae865d9fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ae865e0000 | 0xae865e0000 | 0xae865fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86620000 | 0xae86620000 | 0xae8663ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86680000 | 0xae86680000 | 0xae8669ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae866a0000 | 0xae866a0000 | 0xae866bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae866c0000 | 0xae866c0000 | 0xae867bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae867e0000 | 0xae867e0000 | 0xae867fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86800000 | 0xae86800000 | 0xae8681ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86820000 | 0xae86820000 | 0xae8683ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86840000 | 0xae86840000 | 0xae8685ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86860000 | 0xae86860000 | 0xae8687ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86880000 | 0xae86880000 | 0xae8689ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae868c0000 | 0xae868c0000 | 0xae868dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae868e0000 | 0xae868e0000 | 0xae868fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86900000 | 0xae86900000 | 0xae869fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86a00000 | 0xae86a00000 | 0xae86afffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86b00000 | 0xae86b00000 | 0xae86bfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86c40000 | 0xae86c40000 | 0xae86c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86c60000 | 0xae86c60000 | 0xae86c7ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000000ae86c80000 | 0xae86c80000 | 0xae86c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86ca0000 | 0xae86ca0000 | 0xae86cbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86cc0000 | 0xae86cc0000 | 0xae86cdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86ce0000 | 0xae86ce0000 | 0xae86cfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86d20000 | 0xae86d20000 | 0xae86d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86d40000 | 0xae86d40000 | 0xae86d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86d60000 | 0xae86d60000 | 0xae86d7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86d80000 | 0xae86d80000 | 0xae86d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86da0000 | 0xae86da0000 | 0xae86dbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86dc0000 | 0xae86dc0000 | 0xae86ddffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86de0000 | 0xae86de0000 | 0xae86dfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86e00000 | 0xae86e00000 | 0xae86e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86e20000 | 0xae86e20000 | 0xae86e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86e40000 | 0xae86e40000 | 0xae86f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86f40000 | 0xae86f40000 | 0xae86f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86f60000 | 0xae86f60000 | 0xae86f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86f80000 | 0xae86f80000 | 0xae86f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86fa0000 | 0xae86fa0000 | 0xae86fbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86fc0000 | 0xae86fc0000 | 0xae86fdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae86fe0000 | 0xae86fe0000 | 0xae86ffffff | Private Memory | rwx |
|
|
|
- |
| private_0x000000ae87000000 | 0xae87000000 | 0xae870fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae87100000 | 0xae87100000 | 0xae871fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae87200000 | 0xae87200000 | 0xae872fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae87300000 | 0xae87300000 | 0xae8731ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae873c0000 | 0xae873c0000 | 0xae874bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae874c0000 | 0xae874c0000 | 0xae874dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae874e0000 | 0xae874e0000 | 0xae874fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae87600000 | 0xae87600000 | 0xae8761ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae87620000 | 0xae87620000 | 0xae8763ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ae87640000 | 0xae87640000 | 0xae8765ffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 248 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create Remote Thread | #1: c:\users\ciihmnxmn6ps\desktop\zotci.exe | 0xf0c | address = 0x7ff7503c2870 |
|
1 |
Host Behavior
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\users\Public\sys | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN |
|
1 | |
| Create | C:\users\Public\sys | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN |
|
1 |
Module (78)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffc55800000 |
|
1 | |
| Load | mpr.dll | base_address = 0x7ffc53810000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x7ffc57aa0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7ffc57750000 |
|
1 | |
| Load | Shell32.dll | base_address = 0x7ffc559d0000 |
|
1 | |
| Load | Iphlpapi.dll | base_address = 0x7ffc51c50000 |
|
1 | |
| Get Address | Unknown module name | function = LoadLibraryA, address_out = 0x7ffc55822080 |
|
1 | |
| Get Address | Unknown module name | function = GetLastError, address_out = 0x7ffc55816060 |
|
1 | |
| Get Address | Unknown module name | function = VirtualFree, address_out = 0x7ffc5581bc10 |
|
1 | |
| Get Address | Unknown module name | function = CryptExportKey, address_out = 0x7ffc57ab7b50 |
|
1 | |
| Get Address | Unknown module name | function = DeleteFileW, address_out = 0x7ffc558257a0 |
|
1 | |
| Get Address | Unknown module name | function = GetDriveTypeW, address_out = 0x7ffc558258f0 |
|
1 | |
| Get Address | Unknown module name | function = GetCommandLineW, address_out = 0x7ffc55820150 |
|
1 | |
| Get Address | Unknown module name | function = GetStartupInfoW, address_out = 0x7ffc5581ed80 |
|
1 | |
| Get Address | Unknown module name | function = FindNextFileW, address_out = 0x7ffc55825880 |
|
1 | |
| Get Address | Unknown module name | function = VirtualAlloc, address_out = 0x7ffc5581baf0 |
|
1 | |
| Get Address | Unknown module name | function = GetUserNameA, address_out = 0x7ffc57acec40 |
|
1 | |
| Get Address | Unknown module name | function = ExitProcess, address_out = 0x7ffc5581ef50 |
|
1 | |
| Get Address | Unknown module name | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffc558436a0 |
|
1 | |
| Get Address | Unknown module name | function = CreateProcessA, address_out = 0x7ffc5581d5b0 |
|
1 | |
| Get Address | Unknown module name | function = GetIpNetTable, address_out = 0x7ffc51c6f0b0 |
|
1 | |
| Get Address | Unknown module name | function = GetVersionExW, address_out = 0x7ffc5581aa30 |
|
1 | |
| Get Address | Unknown module name | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffc55843690 |
|
1 | |
| Get Address | Unknown module name | function = GetSystemDefaultLangID, address_out = 0x7ffc55822ba0 |
|
1 | |
| Get Address | Unknown module name | function = GetUserNameW, address_out = 0x7ffc57abda40 |
|
1 | |
| Get Address | Unknown module name | function = ReadFile, address_out = 0x7ffc55825a90 |
|
1 | |
| Get Address | Unknown module name | function = RegQueryValueExA, address_out = 0x7ffc57ab7dd0 |
|
1 | |
| Get Address | Unknown module name | function = CloseHandle, address_out = 0x7ffc55825510 |
|
1 | |
| Get Address | Unknown module name | function = RegSetValueExW, address_out = 0x7ffc57ab7850 |
|
1 | |
| Get Address | Unknown module name | function = RegCloseKey, address_out = 0x7ffc57ab72e0 |
|
1 | |
| Get Address | Unknown module name | function = CopyFileA, address_out = 0x7ffc5583e430 |
|
1 | |
| Get Address | Unknown module name | function = SetFileAttributesW, address_out = 0x7ffc55825b00 |
|
1 | |
| Get Address | Unknown module name | function = WinExec, address_out = 0x7ffc55841e60 |
|
1 | |
| Get Address | Unknown module name | function = CryptDeriveKey, address_out = 0x7ffc57ad07a0 |
|
1 | |
| Get Address | Unknown module name | function = CryptGenKey, address_out = 0x7ffc57abcab0 |
|
1 | |
| Get Address | Unknown module name | function = Sleep, address_out = 0x7ffc55818f00 |
|
1 | |
| Get Address | Unknown module name | function = GetCurrentProcess, address_out = 0x7ffc55816580 |
|
1 | |
| Get Address | Unknown module name | function = ShellExecuteW, address_out = 0x7ffc55b1abc0 |
|
1 | |
| Get Address | Unknown module name | function = GetFileSize, address_out = 0x7ffc55825950 |
|
1 | |
| Get Address | Unknown module name | function = GlobalAlloc, address_out = 0x7ffc5581b810 |
|
1 | |
| Get Address | Unknown module name | function = FindClose, address_out = 0x7ffc558257c0 |
|
1 | |
| Get Address | Unknown module name | function = WaitForMultipleObjects, address_out = 0x7ffc558256e0 |
|
1 | |
| Get Address | Unknown module name | function = GetModuleFileNameA, address_out = 0x7ffc55820c70 |
|
1 | |
| Get Address | Unknown module name | function = ShellExecuteA, address_out = 0x7ffc55bd7de0 |
|
1 | |
| Get Address | Unknown module name | function = GetModuleHandleA, address_out = 0x7ffc5581e6d0 |
|
1 | |
| Get Address | Unknown module name | function = GetModuleFileNameW, address_out = 0x7ffc5581eca0 |
|
1 | |
| Get Address | Unknown module name | function = CreateFileA, address_out = 0x7ffc55825760 |
|
1 | |
| Get Address | Unknown module name | function = GetFileSizeEx, address_out = 0x7ffc55825960 |
|
1 | |
| Get Address | Unknown module name | function = WriteFile, address_out = 0x7ffc55825b80 |
|
1 | |
| Get Address | Unknown module name | function = GetLogicalDrives, address_out = 0x7ffc558166d0 |
|
1 | |
| Get Address | Unknown module name | function = WNetEnumResourceW, address_out = 0x7ffc538127d0 |
|
1 | |
| Get Address | Unknown module name | function = RegOpenKeyExW, address_out = 0x7ffc57ab6cb0 |
|
1 | |
| Get Address | Unknown module name | function = WNetCloseEnum, address_out = 0x7ffc53812e20 |
|
1 | |
| Get Address | Unknown module name | function = GetWindowsDirectoryW, address_out = 0x7ffc55822940 |
|
1 | |
| Get Address | Unknown module name | function = SetFileAttributesA, address_out = 0x7ffc55825af0 |
|
1 | |
| Get Address | Unknown module name | function = RegOpenKeyExA, address_out = 0x7ffc57ab7d70 |
|
1 | |
| Get Address | Unknown module name | function = SetFilePointer, address_out = 0x7ffc55825b20 |
|
1 | |
| Get Address | Unknown module name | function = GetTickCount, address_out = 0x7ffc558160a0 |
|
1 | |
| Get Address | Unknown module name | function = GetFileAttributesW, address_out = 0x7ffc55825930 |
|
1 | |
| Get Address | Unknown module name | function = FindFirstFileW, address_out = 0x7ffc55825840 |
|
1 | |
| Get Address | Unknown module name | function = CryptAcquireContextW, address_out = 0x7ffc57ab89e0 |
|
1 | |
| Get Address | Unknown module name | function = MoveFileExW, address_out = 0x7ffc55823010 |
|
1 | |
| Get Address | Unknown module name | function = WNetOpenEnumW, address_out = 0x7ffc53812f20 |
|
1 | |
| Get Address | Unknown module name | function = CoInitialize, address_out = 0x7ffc57763870 |
|
1 | |
| Get Address | Unknown module name | function = CryptDecrypt, address_out = 0x7ffc57ab9140 |
|
1 | |
| Get Address | Unknown module name | function = CryptImportKey, address_out = 0x7ffc57ab7b40 |
|
1 | |
| Get Address | Unknown module name | function = SetFilePointerEx, address_out = 0x7ffc55825b30 |
|
1 | |
| Get Address | Unknown module name | function = CopyFileW, address_out = 0x7ffc55825d70 |
|
1 | |
| Get Address | Unknown module name | function = FreeLibrary, address_out = 0x7ffc5581eb90 |
|
1 | |
| Get Address | Unknown module name | function = CreateProcessW, address_out = 0x7ffc5581dee0 |
|
1 | |
| Get Address | Unknown module name | function = CreateDirectoryW, address_out = 0x7ffc55825740 |
|
1 | |
| Get Address | Unknown module name | function = CreateThread, address_out = 0x7ffc5581bc20 |
|
1 | |
| Get Address | Unknown module name | function = CryptDestroyKey, address_out = 0x7ffc57ab86b0 |
|
1 | |
| Get Address | Unknown module name | function = CoCreateInstance, address_out = 0x7ffc57257000 |
|
1 | |
| Get Address | Unknown module name | function = CreateFileW, address_out = 0x7ffc55825770 |
|
1 | |
| Get Address | Unknown module name | function = GetFileAttributesA, address_out = 0x7ffc55825900 |
|
1 | |
| Get Address | Unknown module name | function = CryptEncrypt, address_out = 0x7ffc57abd7e0 |
|
1 | |
| Get Address | Unknown module name | function = RegDeleteValueW, address_out = 0x7ffc57ab90b0 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeBackupPrivilege, luid = 17 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 |
Process #17: backgroundtaskhost.exe
86
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\system32\backgroundtaskhost.exe |
| Command Line | "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca |
| Initial Working Directory | C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:01:14, Reason: Injection |
| Unmonitor | End Time: 00:02:33, Reason: Crashed |
| Monitor Duration | 00:01:19 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8a4 |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
CAC
0x
C90
0x
C8C
0x
A40
0x
2CC
0x
52C
0x
A94
0x
40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000d829930000 | 0xd829930000 | 0xd82993ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000d829940000 | 0xd829940000 | 0xd829940fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d829950000 | 0xd829950000 | 0xd829963fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d829970000 | 0xd829970000 | 0xd8299effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d8299f0000 | 0xd8299f0000 | 0xd8299f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d829a00000 | 0xd829a00000 | 0xd829a01fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d829a10000 | 0xd829a10000 | 0xd829a10fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xd829a20000 | 0xd829addfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d829ae0000 | 0xd829ae0000 | 0xd829ae0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d829af0000 | 0xd829af0000 | 0xd829af6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d829b00000 | 0xd829b00000 | 0xd829bfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d829c00000 | 0xd829c00000 | 0xd829c7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d829c80000 | 0xd829c80000 | 0xd829ca9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000d829cb0000 | 0xd829cb0000 | 0xd829d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d829d30000 | 0xd829d30000 | 0xd829daffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d829db0000 | 0xd829db0000 | 0xd829db1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000d829de0000 | 0xd829de0000 | 0xd829de6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d829e00000 | 0xd829e00000 | 0xd829efffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d829f00000 | 0xd829f00000 | 0xd82a087fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d82a090000 | 0xd82a090000 | 0xd82a210fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d82a220000 | 0xd82a220000 | 0xd82b61ffff | Pagefile Backed Memory | r |
|
|
|
- |
| kernelbase.dll.mui | 0xd82b620000 | 0xd82b6fefff | Memory Mapped File | r |
|
|
|
- |
| sortdefault.nls | 0xd82b700000 | 0xd82ba36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d82ba40000 | 0xd82ba40000 | 0xd82babffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d82bac0000 | 0xd82bac0000 | 0xd82bbbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d82bbc0000 | 0xd82bbc0000 | 0xd82bc3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d82bc40000 | 0xd82bc40000 | 0xd82bcbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffa20000 | 0x7df5ffa20000 | 0x7ff5ffa1ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7503c0000 | 0x7ff7503c0000 | 0x7ff750756fff | Private Memory | rwx |
|
|
|
- |
| private_0x00007ff7e0aae000 | 0x7ff7e0aae000 | 0x7ff7e0aaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7e0ab0000 | 0x7ff7e0ab0000 | 0x7ff7e0baffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7e0bb0000 | 0x7ff7e0bb0000 | 0x7ff7e0bd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7e0bd3000 | 0x7ff7e0bd3000 | 0x7ff7e0bd4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7e0bd5000 | 0x7ff7e0bd5000 | 0x7ff7e0bd6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7e0bd7000 | 0x7ff7e0bd7000 | 0x7ff7e0bd8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7e0bd9000 | 0x7ff7e0bd9000 | 0x7ff7e0bdafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7e0bdb000 | 0x7ff7e0bdb000 | 0x7ff7e0bdcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7e0bdd000 | 0x7ff7e0bdd000 | 0x7ff7e0bdefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7e0bdf000 | 0x7ff7e0bdf000 | 0x7ff7e0bdffff | Private Memory | rw |
|
|
|
- |
| backgroundtaskhost.exe | 0x7ff7e11b0000 | 0x7ff7e11b6fff | Memory Mapped File | rwx |
|
|
|
- |
| contentdeliverymanager.background.dll | 0x7ffc3ff90000 | 0x7ffc40203fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.applicationmodel.background.timebroker.dll | 0x7ffc424a0000 | 0x7ffc424abfff | Memory Mapped File | rwx |
|
|
|
- |
| biwinrt.dll | 0x7ffc44140000 | 0x7ffc44172fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.applicationdata.dll | 0x7ffc45050000 | 0x7ffc450a2fff | Memory Mapped File | rwx |
|
|
|
- |
| veeventdispatcher.dll | 0x7ffc46bb0000 | 0x7ffc46bf8fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffc48ff0000 | 0x7ffc49459fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.globalization.dll | 0x7ffc4d520000 | 0x7ffc4d6a5fff | Memory Mapped File | rwx |
|
|
|
- |
| mrmcorer.dll | 0x7ffc4f1f0000 | 0x7ffc4f2fefff | Memory Mapped File | rwx |
|
|
|
- |
| wincorlib.dll | 0x7ffc4f300000 | 0x7ffc4f369fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp110_win.dll | 0x7ffc4f8f0000 | 0x7ffc4f981fff | Memory Mapped File | rwx |
|
|
|
- |
| policymanager.dll | 0x7ffc4f990000 | 0x7ffc4f9c8fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ffc50c00000 | 0x7ffc50d30fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| bcp47langs.dll | 0x7ffc52660000 | 0x7ffc526c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sppc.dll | 0x7ffc52bd0000 | 0x7ffc52bf4fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7ffc52c00000 | 0x7ffc52c25fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ffc52f40000 | 0x7ffc5302dfff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc53810000 | 0x7ffc5382bfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\zotci.exe | 0xf0c | address = 0x7ff7503c0000, size = 3764224 |
|
1 | |
| Create Remote Thread | #1: c:\users\ciihmnxmn6ps\desktop\zotci.exe | 0xf0c | address = 0x7ff7503c2870 |
|
1 |
Host Behavior
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\users\Public\sys | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN |
|
1 | |
| Create | C:\users\Public\sys | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN |
|
1 |
Module (78)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffc55800000 |
|
1 | |
| Load | mpr.dll | base_address = 0x7ffc53810000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x7ffc57aa0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7ffc57750000 |
|
1 | |
| Load | Shell32.dll | base_address = 0x7ffc559d0000 |
|
1 | |
| Load | Iphlpapi.dll | base_address = 0x7ffc51c50000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7ffc55822080 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7ffc55816060 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualFree, address_out = 0x7ffc5581bc10 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptExportKey, address_out = 0x7ffc57ab7b50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileW, address_out = 0x7ffc558257a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDriveTypeW, address_out = 0x7ffc558258f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCommandLineW, address_out = 0x7ffc55820150 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetStartupInfoW, address_out = 0x7ffc5581ed80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileW, address_out = 0x7ffc55825880 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualAlloc, address_out = 0x7ffc5581baf0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7ffc57acec40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ExitProcess, address_out = 0x7ffc5581ef50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffc558436a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x7ffc5581d5b0 |
|
1 | |
| Get Address | c:\windows\system32\iphlpapi.dll | function = GetIpNetTable, address_out = 0x7ffc51c6f0b0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x7ffc5581aa30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffc55843690 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDefaultLangID, address_out = 0x7ffc55822ba0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameW, address_out = 0x7ffc57abda40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x7ffc55825a90 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegQueryValueExA, address_out = 0x7ffc57ab7dd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7ffc55825510 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegSetValueExW, address_out = 0x7ffc57ab7850 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7ffc57ab72e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7ffc5583e430 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesW, address_out = 0x7ffc55825b00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WinExec, address_out = 0x7ffc55841e60 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDeriveKey, address_out = 0x7ffc57ad07a0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGenKey, address_out = 0x7ffc57abcab0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Sleep, address_out = 0x7ffc55818f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcess, address_out = 0x7ffc55816580 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteW, address_out = 0x7ffc55b1abc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x7ffc55825950 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GlobalAlloc, address_out = 0x7ffc5581b810 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x7ffc558257c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForMultipleObjects, address_out = 0x7ffc558256e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameA, address_out = 0x7ffc55820c70 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteA, address_out = 0x7ffc55bd7de0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x7ffc5581e6d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameW, address_out = 0x7ffc5581eca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7ffc55825760 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSizeEx, address_out = 0x7ffc55825960 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x7ffc55825b80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalDrives, address_out = 0x7ffc558166d0 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetEnumResourceW, address_out = 0x7ffc538127d0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7ffc57ab6cb0 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetCloseEnum, address_out = 0x7ffc53812e20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x7ffc55822940 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x7ffc55825af0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExA, address_out = 0x7ffc57ab7d70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7ffc55825b20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount, address_out = 0x7ffc558160a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesW, address_out = 0x7ffc55825930 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileW, address_out = 0x7ffc55825840 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextW, address_out = 0x7ffc57ab89e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MoveFileExW, address_out = 0x7ffc55823010 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetOpenEnumW, address_out = 0x7ffc53812f20 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoInitialize, address_out = 0x7ffc57763870 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDecrypt, address_out = 0x7ffc57ab9140 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptImportKey, address_out = 0x7ffc57ab7b40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointerEx, address_out = 0x7ffc55825b30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileW, address_out = 0x7ffc55825d70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibrary, address_out = 0x7ffc5581eb90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessW, address_out = 0x7ffc5581dee0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryW, address_out = 0x7ffc55825740 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThread, address_out = 0x7ffc5581bc20 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDestroyKey, address_out = 0x7ffc57ab86b0 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x7ffc57257000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileW, address_out = 0x7ffc55825770 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesA, address_out = 0x7ffc55825900 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptEncrypt, address_out = 0x7ffc57abd7e0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueW, address_out = 0x7ffc57ab90b0 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeBackupPrivilege, luid = 17 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 |
Process #18: sihost.exe
0
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\system32\sihost.exe |
| Command Line | sihost.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:14, Reason: Child Process |
| Unmonitor | End Time: 00:01:18, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb4 |
| Parent PID | 0x704 (c:\windows\system32\sihost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs | - |
Process #19: net.exe
0
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:21, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe28 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E20
0x
A10
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000004912b00000 | 0x4912b00000 | 0x4912b1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004912b20000 | 0x4912b20000 | 0x4912b33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004912b40000 | 0x4912b40000 | 0x4912bbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004912bc0000 | 0x4912bc0000 | 0x4912bc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004912bd0000 | 0x4912bd0000 | 0x4912bd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004912be0000 | 0x4912be0000 | 0x4912be1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000004912d90000 | 0x4912d90000 | 0x4912e8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffe90000 | 0x7df5ffe90000 | 0x7ff5ffe8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca750000 | 0x7ff7ca750000 | 0x7ff7ca772fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca778000 | 0x7ff7ca778000 | 0x7ff7ca778fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca77e000 | 0x7ff7ca77e000 | 0x7ff7ca77ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #21: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:21, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x90c |
| Parent PID | 0xe28 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AEC
0x
510
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000005f14880000 | 0x5f14880000 | 0x5f1489ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005f14880000 | 0x5f14880000 | 0x5f1488ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000005f14890000 | 0x5f14890000 | 0x5f14896fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005f148a0000 | 0x5f148a0000 | 0x5f148b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005f148c0000 | 0x5f148c0000 | 0x5f1493ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000005f14940000 | 0x5f14940000 | 0x5f14943fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000005f14950000 | 0x5f14950000 | 0x5f14950fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000005f14960000 | 0x5f14960000 | 0x5f14961fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x5f14970000 | 0x5f14a2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005f14a30000 | 0x5f14a30000 | 0x5f14a36fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x5f14a40000 | 0x5f14a42fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000005f14a60000 | 0x5f14a60000 | 0x5f14b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000005f14b60000 | 0x5f14b60000 | 0x5f14bdffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x5f14be0000 | 0x5f14c11fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000005f14d90000 | 0x5f14d90000 | 0x5f14d9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff6e0000 | 0x7df5ff6e0000 | 0x7ff5ff6dffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648810000 | 0x7ff648810000 | 0x7ff64890ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648910000 | 0x7ff648910000 | 0x7ff648932fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff64893a000 | 0x7ff64893a000 | 0x7ff64893bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64893c000 | 0x7ff64893c000 | 0x7ff64893cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64893e000 | 0x7ff64893e000 | 0x7ff64893ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50dd0000 | 0x7ffc50de3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x5f14a40000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #22: werfault.exe
0
0
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\windows\system32\werfault.exe |
| Command Line | C:\Windows\system32\WerFault.exe -u -p 1916 -s 1152 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:23, Reason: Child Process |
| Unmonitor | End Time: 00:04:44, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:21 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6d0 |
| Parent PID | 0x77c (c:\windows\system32\taskhostw.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A80
0x
DFC
0x
754
0x
DF8
0x
E18
0x
2F0
0x
8A8
0x
6B4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000c3d2c20000 | 0xc3d2c20000 | 0xc3d2c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c3d2c20000 | 0xc3d2c20000 | 0xc3d2c2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000c3d2c30000 | 0xc3d2c30000 | 0xc3d2c36fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c3d2c40000 | 0xc3d2c40000 | 0xc3d2c53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c3d2c60000 | 0xc3d2c60000 | 0xc3d2cdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c3d2ce0000 | 0xc3d2ce0000 | 0xc3d2ce3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c3d2cf0000 | 0xc3d2cf0000 | 0xc3d2cf2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c3d2d00000 | 0xc3d2d00000 | 0xc3d2d01fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xc3d2d10000 | 0xc3d2dcdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c3d2dd0000 | 0xc3d2dd0000 | 0xc3d2e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c3d2e50000 | 0xc3d2e50000 | 0xc3d2e56fff | Private Memory | rw |
|
|
|
- |
| werfault.exe.mui | 0xc3d2e60000 | 0xc3d2e63fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c3d2e70000 | 0xc3d2e70000 | 0xc3d2e70fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c3d2e80000 | 0xc3d2e80000 | 0xc3d2e80fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c3d2e90000 | 0xc3d2e90000 | 0xc3d2e90fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000c3d2ea0000 | 0xc3d2ea0000 | 0xc3d2eaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c3d2eb0000 | 0xc3d2eb0000 | 0xc3d2faffff | Private Memory | rw |
|
|
|
- |
| faultrep.dll.mui | 0xc3d2fb0000 | 0xc3d2fb1fff | Memory Mapped File | r |
|
|
|
- |
| wer.dll.mui | 0xc3d2fc0000 | 0xc3d2fc2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c3d2fd0000 | 0xc3d2fd0000 | 0xc3d2fd6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c3d2fe0000 | 0xc3d2fe0000 | 0xc3d2fe1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c3d2ff0000 | 0xc3d2ff0000 | 0xc3d2ffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c3d3000000 | 0xc3d3000000 | 0xc3d3187fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c3d3190000 | 0xc3d3190000 | 0xc3d3310fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c3d3320000 | 0xc3d3320000 | 0xc3d471ffff | Pagefile Backed Memory | r |
|
|
|
- |
| ntdll.dll.mui | 0xc3d4720000 | 0xc3d4785fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000c3d4790000 | 0xc3d4790000 | 0xc3d4791fff | Pagefile Backed Memory | r |
|
|
|
- |
| werui.dll.mui | 0xc3d47a0000 | 0xc3d47a4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000c3d47b0000 | 0xc3d47b0000 | 0xc3d47b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c3d47c0000 | 0xc3d47c0000 | 0xc3d47cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xc3d47d0000 | 0xc3d4b06fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000c3d4b10000 | 0xc3d4b10000 | 0xc3d4b10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c3d4b20000 | 0xc3d4b20000 | 0xc3d4b21fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c3d4b30000 | 0xc3d4b30000 | 0xc3d4b33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c3d4b40000 | 0xc3d4b40000 | 0xc3d4b46fff | Private Memory | rw |
|
|
|
- |
| duser.dll.mui | 0xc3d4b50000 | 0xc3d4b50fff | Memory Mapped File | r |
|
|
|
- |
| comctl32.dll.mui | 0xc3d4b60000 | 0xc3d4b62fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000c3d4b70000 | 0xc3d4b70000 | 0xc3d4b70fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000c3d4b80000 | 0xc3d4b80000 | 0xc3d4b82fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c3d4b90000 | 0xc3d4b90000 | 0xc3d4c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c3d4c90000 | 0xc3d4c90000 | 0xc3d4d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c3d4d90000 | 0xc3d4d90000 | 0xc3d4e8ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0xc3d4e90000 | 0xc3d4f6efff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c3d4f70000 | 0xc3d4f70000 | 0xc3d506ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c3d5070000 | 0xc3d5070000 | 0xc3d50effff | Private Memory | rw |
|
|
|
- |
| private_0x000000c3d50f0000 | 0xc3d50f0000 | 0xc3d516ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c3d5170000 | 0xc3d5170000 | 0xc3d51effff | Private Memory | rw |
|
|
|
- |
| private_0x000000c3d51f0000 | 0xc3d51f0000 | 0xc3d526ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c3d5270000 | 0xc3d5270000 | 0xc3d52effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c3d52f0000 | 0xc3d52f0000 | 0xc3d53a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c3d53b0000 | 0xc3d53b0000 | 0xc3d58a1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| staticcache.dat | 0xc3d58b0000 | 0xc3d68effff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000c3d68f0000 | 0xc3d68f0000 | 0xc3d6938fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000c3d6940000 | 0xc3d6940000 | 0xc3d6940fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffb20000 | 0x7df5ffb20000 | 0x7ff5ffb1ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7397be000 | 0x7ff7397be000 | 0x7ff7397bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7397c0000 | 0x7ff7397c0000 | 0x7ff7398bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7398c0000 | 0x7ff7398c0000 | 0x7ff7398e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7398e3000 | 0x7ff7398e3000 | 0x7ff7398e4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7398e5000 | 0x7ff7398e5000 | 0x7ff7398e5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7398e6000 | 0x7ff7398e6000 | 0x7ff7398e7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7398e8000 | 0x7ff7398e8000 | 0x7ff7398e9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7398ea000 | 0x7ff7398ea000 | 0x7ff7398ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7398ec000 | 0x7ff7398ec000 | 0x7ff7398edfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7398ee000 | 0x7ff7398ee000 | 0x7ff7398effff | Private Memory | rw |
|
|
|
- |
| werfault.exe | 0x7ff739e30000 | 0x7ff739e7afff | Memory Mapped File | rwx |
|
|
|
- |
| dbgeng.dll | 0x7ffc3e090000 | 0x7ffc3e56bfff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ffc3e820000 | 0x7ffc3e9cffff | Memory Mapped File | rwx |
|
|
|
- |
| wer.dll | 0x7ffc3fb50000 | 0x7ffc3fbedfff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x7ffc3fe00000 | 0x7ffc3ff89fff | Memory Mapped File | rwx |
|
|
|
- |
| atlthunk.dll | 0x7ffc41be0000 | 0x7ffc41beffff | Memory Mapped File | rwx |
|
|
|
- |
| riched20.dll | 0x7ffc48e30000 | 0x7ffc48ecafff | Memory Mapped File | rwx |
|
|
|
- |
| msls31.dll | 0x7ffc48f30000 | 0x7ffc48f67fff | Memory Mapped File | rwx |
|
|
|
- |
| dbgmodel.dll | 0x7ffc48f50000 | 0x7ffc48fe0fff | Memory Mapped File | rwx |
|
|
|
- |
| werui.dll | 0x7ffc48f70000 | 0x7ffc48fe3fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ffc4b6e0000 | 0x7ffc4b6ebfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffc4b890000 | 0x7ffc4b899fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7ffc4d170000 | 0x7ffc4d187fff | Memory Mapped File | rwx |
|
|
|
- |
| dbgcore.dll | 0x7ffc4d190000 | 0x7ffc4d1b4fff | Memory Mapped File | rwx |
|
|
|
- |
| faultrep.dll | 0x7ffc4d1c0000 | 0x7ffc4d21dfff | Memory Mapped File | rwx |
|
|
|
- |
| duser.dll | 0x7ffc4f3a0000 | 0x7ffc4f438fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ffc525f0000 | 0x7ffc52611fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffc53920000 | 0x7ffc53951fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #23: backgroundtaskhost.exe
86
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\windows\system32\backgroundtaskhost.exe |
| Command Line | "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca |
| Initial Working Directory | C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:01:26, Reason: Injection |
| Unmonitor | End Time: 00:02:32, Reason: Crashed |
| Monitor Duration | 00:01:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xca4 |
| Parent PID | 0x23c (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
CF4
0x
CF0
0x
CDC
0x
CD8
0x
CA8
0x
8C4
0x
DB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000319ae00000 | 0x319ae00000 | 0x319ae0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000319ae10000 | 0x319ae10000 | 0x319ae10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000319ae20000 | 0x319ae20000 | 0x319ae33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000319ae40000 | 0x319ae40000 | 0x319aebffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000319aec0000 | 0x319aec0000 | 0x319aec3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000319aed0000 | 0x319aed0000 | 0x319aed1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000319aee0000 | 0x319aee0000 | 0x319aee0fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x319aef0000 | 0x319afadfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000319afb0000 | 0x319afb0000 | 0x319b02ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000319b030000 | 0x319b030000 | 0x319b030fff | Private Memory | rw |
|
|
|
- |
| private_0x000000319b040000 | 0x319b040000 | 0x319b046fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000319b050000 | 0x319b050000 | 0x319b079fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000319b0d0000 | 0x319b0d0000 | 0x319b0d6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000319b100000 | 0x319b100000 | 0x319b1fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000319b200000 | 0x319b200000 | 0x319b2fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000319b300000 | 0x319b300000 | 0x319b37ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000319b380000 | 0x319b380000 | 0x319b507fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000319b510000 | 0x319b510000 | 0x319b690fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000319b6a0000 | 0x319b6a0000 | 0x319ca9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| kernelbase.dll.mui | 0x319caa0000 | 0x319cb7efff | Memory Mapped File | r |
|
|
|
- |
| sortdefault.nls | 0x319cb80000 | 0x319ceb6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000319cec0000 | 0x319cec0000 | 0x319cf3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000319cf40000 | 0x319cf40000 | 0x319cfbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000319cfc0000 | 0x319cfc0000 | 0x319d0bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000319d0c0000 | 0x319d0c0000 | 0x319d13ffff | Private Memory | rw |
|
|
|
- |
| oleaut32.dll | 0x319d140000 | 0x319d1fcfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff840000 | 0x7df5ff840000 | 0x7ff5ff83ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7503c0000 | 0x7ff7503c0000 | 0x7ff750756fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00007ff7e0e40000 | 0x7ff7e0e40000 | 0x7ff7e0f3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7e0f40000 | 0x7ff7e0f40000 | 0x7ff7e0f62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7e0f63000 | 0x7ff7e0f63000 | 0x7ff7e0f64fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7e0f65000 | 0x7ff7e0f65000 | 0x7ff7e0f65fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7e0f66000 | 0x7ff7e0f66000 | 0x7ff7e0f67fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7e0f68000 | 0x7ff7e0f68000 | 0x7ff7e0f69fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7e0f6a000 | 0x7ff7e0f6a000 | 0x7ff7e0f6bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7e0f6c000 | 0x7ff7e0f6c000 | 0x7ff7e0f6dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7e0f6e000 | 0x7ff7e0f6e000 | 0x7ff7e0f6ffff | Private Memory | rw |
|
|
|
- |
| backgroundtaskhost.exe | 0x7ff7e11b0000 | 0x7ff7e11b6fff | Memory Mapped File | rwx |
|
|
|
- |
| mrmcorer.dll | 0x7ffc4f1f0000 | 0x7ffc4f2fefff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ffc50c00000 | 0x7ffc50d30fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ffc52f40000 | 0x7ffc5302dfff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc53810000 | 0x7ffc5382bfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\zotci.exe | 0xf0c | address = 0x7ff7503c0000, size = 3764224 |
|
1 | |
| Create Remote Thread | #1: c:\users\ciihmnxmn6ps\desktop\zotci.exe | 0xf0c | address = 0x7ff7503c2870 |
|
1 |
Host Behavior
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\users\Public\sys | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN |
|
1 | |
| Create | C:\users\Public\sys | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN |
|
1 |
Module (78)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x7ffc55800000 |
|
1 | |
| Load | mpr.dll | base_address = 0x7ffc53810000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x7ffc57aa0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x7ffc57750000 |
|
1 | |
| Load | Shell32.dll | base_address = 0x7ffc559d0000 |
|
1 | |
| Load | Iphlpapi.dll | base_address = 0x7ffc51c50000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7ffc55822080 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7ffc55816060 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualFree, address_out = 0x7ffc5581bc10 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptExportKey, address_out = 0x7ffc57ab7b50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileW, address_out = 0x7ffc558257a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDriveTypeW, address_out = 0x7ffc558258f0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCommandLineW, address_out = 0x7ffc55820150 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetStartupInfoW, address_out = 0x7ffc5581ed80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileW, address_out = 0x7ffc55825880 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualAlloc, address_out = 0x7ffc5581baf0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7ffc57acec40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ExitProcess, address_out = 0x7ffc5581ef50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7ffc558436a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x7ffc5581d5b0 |
|
1 | |
| Get Address | c:\windows\system32\iphlpapi.dll | function = GetIpNetTable, address_out = 0x7ffc51c6f0b0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x7ffc5581aa30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7ffc55843690 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDefaultLangID, address_out = 0x7ffc55822ba0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameW, address_out = 0x7ffc57abda40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x7ffc55825a90 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegQueryValueExA, address_out = 0x7ffc57ab7dd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7ffc55825510 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegSetValueExW, address_out = 0x7ffc57ab7850 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7ffc57ab72e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7ffc5583e430 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesW, address_out = 0x7ffc55825b00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WinExec, address_out = 0x7ffc55841e60 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDeriveKey, address_out = 0x7ffc57ad07a0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGenKey, address_out = 0x7ffc57abcab0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Sleep, address_out = 0x7ffc55818f00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcess, address_out = 0x7ffc55816580 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteW, address_out = 0x7ffc55b1abc0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x7ffc55825950 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GlobalAlloc, address_out = 0x7ffc5581b810 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x7ffc558257c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForMultipleObjects, address_out = 0x7ffc558256e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameA, address_out = 0x7ffc55820c70 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = ShellExecuteA, address_out = 0x7ffc55bd7de0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x7ffc5581e6d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameW, address_out = 0x7ffc5581eca0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7ffc55825760 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSizeEx, address_out = 0x7ffc55825960 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x7ffc55825b80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalDrives, address_out = 0x7ffc558166d0 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetEnumResourceW, address_out = 0x7ffc538127d0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExW, address_out = 0x7ffc57ab6cb0 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetCloseEnum, address_out = 0x7ffc53812e20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x7ffc55822940 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x7ffc55825af0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyExA, address_out = 0x7ffc57ab7d70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7ffc55825b20 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount, address_out = 0x7ffc558160a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesW, address_out = 0x7ffc55825930 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileW, address_out = 0x7ffc55825840 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextW, address_out = 0x7ffc57ab89e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MoveFileExW, address_out = 0x7ffc55823010 |
|
1 | |
| Get Address | c:\windows\system32\mpr.dll | function = WNetOpenEnumW, address_out = 0x7ffc53812f20 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoInitialize, address_out = 0x7ffc57763870 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDecrypt, address_out = 0x7ffc57ab9140 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptImportKey, address_out = 0x7ffc57ab7b40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointerEx, address_out = 0x7ffc55825b30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileW, address_out = 0x7ffc55825d70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibrary, address_out = 0x7ffc5581eb90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessW, address_out = 0x7ffc5581dee0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryW, address_out = 0x7ffc55825740 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThread, address_out = 0x7ffc5581bc20 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDestroyKey, address_out = 0x7ffc57ab86b0 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x7ffc57257000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileW, address_out = 0x7ffc55825770 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesA, address_out = 0x7ffc55825900 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptEncrypt, address_out = 0x7ffc57abd7e0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueW, address_out = 0x7ffc57ab90b0 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeBackupPrivilege, luid = 17 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 5000 milliseconds (5.000 seconds) |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 |
Process #24: net.exe
0
0
| Information | Value |
|---|---|
| ID | #24 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:30, Reason: Child Process |
| Unmonitor | End Time: 00:01:32, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xefc |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DE8
0x
E08
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000e5818f0000 | 0xe5818f0000 | 0xe58190ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e581910000 | 0xe581910000 | 0xe581923fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e581930000 | 0xe581930000 | 0xe5819affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e5819b0000 | 0xe5819b0000 | 0xe5819b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e5819c0000 | 0xe5819c0000 | 0xe5819c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e5819d0000 | 0xe5819d0000 | 0xe5819d1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e581a20000 | 0xe581a20000 | 0xe581b1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff020000 | 0x7df5ff020000 | 0x7ff5ff01ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7caa60000 | 0x7ff7caa60000 | 0x7ff7caa82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7caa85000 | 0x7ff7caa85000 | 0x7ff7caa85fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7caa8e000 | 0x7ff7caa8e000 | 0x7ff7caa8ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #26: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #26 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:31, Reason: Child Process |
| Unmonitor | End Time: 00:01:32, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdec |
| Parent PID | 0xefc (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DE4
0x
EE8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000007bb1c50000 | 0x7bb1c50000 | 0x7bb1c6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007bb1c50000 | 0x7bb1c50000 | 0x7bb1c5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000007bb1c60000 | 0x7bb1c60000 | 0x7bb1c66fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007bb1c70000 | 0x7bb1c70000 | 0x7bb1c83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007bb1c90000 | 0x7bb1c90000 | 0x7bb1d0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007bb1d10000 | 0x7bb1d10000 | 0x7bb1d13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000007bb1d20000 | 0x7bb1d20000 | 0x7bb1d20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007bb1d30000 | 0x7bb1d30000 | 0x7bb1d31fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x7bb1d40000 | 0x7bb1dfdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007bb1e00000 | 0x7bb1e00000 | 0x7bb1e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007bb1e80000 | 0x7bb1e80000 | 0x7bb1e86fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x7bb1e90000 | 0x7bb1e92fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x7bb1ea0000 | 0x7bb1ed1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007bb1ef0000 | 0x7bb1ef0000 | 0x7bb1feffff | Private Memory | rw |
|
|
|
- |
| private_0x0000007bb20b0000 | 0x7bb20b0000 | 0x7bb20bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffa30000 | 0x7df5ffa30000 | 0x7ff5ffa2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6487d0000 | 0x7ff6487d0000 | 0x7ff6488cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6488d0000 | 0x7ff6488d0000 | 0x7ff6488f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6488fb000 | 0x7ff6488fb000 | 0x7ff6488fcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6488fd000 | 0x7ff6488fd000 | 0x7ff6488fefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6488ff000 | 0x7ff6488ff000 | 0x7ff6488fffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50da0000 | 0x7ffc50db3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x7bb1e90000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #27: net.exe
0
0
| Information | Value |
|---|---|
| ID | #27 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:33, Reason: Child Process |
| Unmonitor | End Time: 00:01:35, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xec8 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ECC
0x
E78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000002fb3f30000 | 0x2fb3f30000 | 0x2fb3f4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002fb3f50000 | 0x2fb3f50000 | 0x2fb3f63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002fb3f70000 | 0x2fb3f70000 | 0x2fb3feffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002fb3ff0000 | 0x2fb3ff0000 | 0x2fb3ff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000002fb4000000 | 0x2fb4000000 | 0x2fb4000fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002fb4010000 | 0x2fb4010000 | 0x2fb4011fff | Private Memory | rw |
|
|
|
- |
| private_0x0000002fb40e0000 | 0x2fb40e0000 | 0x2fb41dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffe90000 | 0x7df5ffe90000 | 0x7ff5ffe8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca1e0000 | 0x7ff7ca1e0000 | 0x7ff7ca202fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca20b000 | 0x7ff7ca20b000 | 0x7ff7ca20bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca20e000 | 0x7ff7ca20e000 | 0x7ff7ca20ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #29: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #29 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:34, Reason: Child Process |
| Unmonitor | End Time: 00:01:35, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe7c |
| Parent PID | 0xec8 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E80
0x
E84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000006922690000 | 0x6922690000 | 0x69226affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006922690000 | 0x6922690000 | 0x692269ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000069226a0000 | 0x69226a0000 | 0x69226a6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000069226b0000 | 0x69226b0000 | 0x69226c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000069226d0000 | 0x69226d0000 | 0x692274ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006922750000 | 0x6922750000 | 0x6922753fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000006922760000 | 0x6922760000 | 0x6922760fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006922770000 | 0x6922770000 | 0x6922771fff | Private Memory | rw |
|
|
|
- |
| private_0x0000006922780000 | 0x6922780000 | 0x6922786fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x6922790000 | 0x6922792fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000069227c0000 | 0x69227c0000 | 0x69228bffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x69228c0000 | 0x692297dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000006922980000 | 0x6922980000 | 0x69229fffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x6922a00000 | 0x6922a31fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000006922ab0000 | 0x6922ab0000 | 0x6922abffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff6e0000 | 0x7df5ff6e0000 | 0x7ff5ff6dffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648a40000 | 0x7ff648a40000 | 0x7ff648b3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648b40000 | 0x7ff648b40000 | 0x7ff648b62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff648b6a000 | 0x7ff648b6a000 | 0x7ff648b6bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648b6c000 | 0x7ff648b6c000 | 0x7ff648b6cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648b6e000 | 0x7ff648b6e000 | 0x7ff648b6ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50da0000 | 0x7ffc50db3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x6922790000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #30: net.exe
0
0
| Information | Value |
|---|---|
| ID | #30 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:43, Reason: Child Process |
| Unmonitor | End Time: 00:01:46, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf4c |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F8C
0x
CBC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000c717270000 | 0xc717270000 | 0xc71728ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c717270000 | 0xc717270000 | 0xc71727ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000c717280000 | 0xc717280000 | 0xc717286fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c717290000 | 0xc717290000 | 0xc7172a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c7172b0000 | 0xc7172b0000 | 0xc71732ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c717330000 | 0xc717330000 | 0xc717333fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c717340000 | 0xc717340000 | 0xc717340fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c717350000 | 0xc717350000 | 0xc717351fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xc717360000 | 0xc71741dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c717420000 | 0xc717420000 | 0xc71749ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c7174a0000 | 0xc7174a0000 | 0xc7174a6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c7174c0000 | 0xc7174c0000 | 0xc7175bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c7176d0000 | 0xc7176d0000 | 0xc7176dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff690000 | 0x7df5ff690000 | 0x7ff5ff68ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca0b0000 | 0x7ff7ca0b0000 | 0x7ff7ca1affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7ca1b0000 | 0x7ff7ca1b0000 | 0x7ff7ca1d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca1da000 | 0x7ff7ca1da000 | 0x7ff7ca1dafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca1dc000 | 0x7ff7ca1dc000 | 0x7ff7ca1ddfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca1de000 | 0x7ff7ca1de000 | 0x7ff7ca1dffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50da0000 | 0x7ffc50db3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc53810000 | 0x7ffc5382bfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #32: net.exe
0
0
| Information | Value |
|---|---|
| ID | #32 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:44, Reason: Child Process |
| Unmonitor | End Time: 00:01:46, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd54 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F7C
0x
56C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000b2a56c0000 | 0xb2a56c0000 | 0xb2a56dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b2a56c0000 | 0xb2a56c0000 | 0xb2a56cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b2a56e0000 | 0xb2a56e0000 | 0xb2a56f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b2a5700000 | 0xb2a5700000 | 0xb2a577ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b2a5780000 | 0xb2a5780000 | 0xb2a5783fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b2a5790000 | 0xb2a5790000 | 0xb2a5790fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b2a57a0000 | 0xb2a57a0000 | 0xb2a57a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xb2a57b0000 | 0xb2a586dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b2a5890000 | 0xb2a5890000 | 0xb2a598ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffbb0000 | 0x7df5ffbb0000 | 0x7ff5ffbaffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca730000 | 0x7ff7ca730000 | 0x7ff7ca82ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7ca830000 | 0x7ff7ca830000 | 0x7ff7ca852fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca855000 | 0x7ff7ca855000 | 0x7ff7ca855fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca85e000 | 0x7ff7ca85e000 | 0x7ff7ca85ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #34: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #34 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:44, Reason: Child Process |
| Unmonitor | End Time: 00:01:45, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc28 |
| Parent PID | 0xf4c (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CD4
0x
AE8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000007108050000 | 0x7108050000 | 0x710806ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007108050000 | 0x7108050000 | 0x710805ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000007108060000 | 0x7108060000 | 0x7108066fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007108070000 | 0x7108070000 | 0x7108083fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007108090000 | 0x7108090000 | 0x710810ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007108110000 | 0x7108110000 | 0x7108113fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000007108120000 | 0x7108120000 | 0x7108120fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007108130000 | 0x7108130000 | 0x7108131fff | Private Memory | rw |
|
|
|
- |
| private_0x0000007108140000 | 0x7108140000 | 0x71081bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000071081c0000 | 0x71081c0000 | 0x71081c6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x71081d0000 | 0x71081d2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000071081f0000 | 0x71081f0000 | 0x71082effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x71082f0000 | 0x71083adfff | Memory Mapped File | r |
|
|
|
- |
| netmsg.dll.mui | 0x71083b0000 | 0x71083e1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000071084a0000 | 0x71084a0000 | 0x71084affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff2d0000 | 0x7df5ff2d0000 | 0x7ff5ff2cffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6485b0000 | 0x7ff6485b0000 | 0x7ff6486affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6486b0000 | 0x7ff6486b0000 | 0x7ff6486d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6486d3000 | 0x7ff6486d3000 | 0x7ff6486d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6486dc000 | 0x7ff6486dc000 | 0x7ff6486ddfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6486de000 | 0x7ff6486de000 | 0x7ff6486dffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50da0000 | 0x7ffc50db3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x71081d0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #35: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #35 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:45, Reason: Child Process |
| Unmonitor | End Time: 00:01:45, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7c4 |
| Parent PID | 0xd54 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A58
0x
DB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000008d84670000 | 0x8d84670000 | 0x8d8468ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008d84670000 | 0x8d84670000 | 0x8d8467ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000008d84680000 | 0x8d84680000 | 0x8d84686fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008d84690000 | 0x8d84690000 | 0x8d846a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008d846b0000 | 0x8d846b0000 | 0x8d8472ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008d84730000 | 0x8d84730000 | 0x8d84733fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008d84740000 | 0x8d84740000 | 0x8d84740fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008d84750000 | 0x8d84750000 | 0x8d84751fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x8d84760000 | 0x8d8481dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008d84820000 | 0x8d84820000 | 0x8d8489ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008d848a0000 | 0x8d848a0000 | 0x8d848a6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x8d848b0000 | 0x8d848b2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000008d848d0000 | 0x8d848d0000 | 0x8d849cffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x8d849d0000 | 0x8d84a01fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008d84a30000 | 0x8d84a30000 | 0x8d84a3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff2b0000 | 0x7df5ff2b0000 | 0x7ff5ff2affff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6485a0000 | 0x7ff6485a0000 | 0x7ff64869ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6486a0000 | 0x7ff6486a0000 | 0x7ff6486c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6486ca000 | 0x7ff6486ca000 | 0x7ff6486cbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6486cc000 | 0x7ff6486cc000 | 0x7ff6486ccfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6486ce000 | 0x7ff6486ce000 | 0x7ff6486cffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50da0000 | 0x7ffc50db3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x8d848b0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #36: net.exe
0
0
| Information | Value |
|---|---|
| ID | #36 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:53, Reason: Child Process |
| Unmonitor | End Time: 00:01:59, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x10a4 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
10A8
0x
10C0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000b857e80000 | 0xb857e80000 | 0xb857e9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b857e80000 | 0xb857e80000 | 0xb857e8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b857e90000 | 0xb857e90000 | 0xb857e96fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b857ea0000 | 0xb857ea0000 | 0xb857eb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b857ec0000 | 0xb857ec0000 | 0xb857f3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b857f40000 | 0xb857f40000 | 0xb857f43fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b857f50000 | 0xb857f50000 | 0xb857f50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b857f60000 | 0xb857f60000 | 0xb857f61fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xb857f70000 | 0xb85802dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b858030000 | 0xb858030000 | 0xb85812ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b858130000 | 0xb858130000 | 0xb8581affff | Private Memory | rw |
|
|
|
- |
| private_0x000000b8581b0000 | 0xb8581b0000 | 0xb8581b6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b858240000 | 0xb858240000 | 0xb85824ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff890000 | 0x7df5ff890000 | 0x7ff5ff88ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7c9be0000 | 0x7ff7c9be0000 | 0x7ff7c9cdffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7c9ce0000 | 0x7ff7c9ce0000 | 0x7ff7c9d02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7c9d0b000 | 0x7ff7c9d0b000 | 0x7ff7c9d0bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c9d0c000 | 0x7ff7c9d0c000 | 0x7ff7c9d0dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c9d0e000 | 0x7ff7c9d0e000 | 0x7ff7c9d0ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50da0000 | 0x7ffc50db3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x7ffc53810000 | 0x7ffc5382bfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #38: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #38 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:54, Reason: Child Process |
| Unmonitor | End Time: 00:01:59, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x10c4 |
| Parent PID | 0x10a4 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
10C8
0x
10CC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000003b22720000 | 0x3b22720000 | 0x3b2273ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003b22720000 | 0x3b22720000 | 0x3b2272ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000003b22730000 | 0x3b22730000 | 0x3b22736fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003b22740000 | 0x3b22740000 | 0x3b22753fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003b22760000 | 0x3b22760000 | 0x3b227dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000003b227e0000 | 0x3b227e0000 | 0x3b227e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000003b227f0000 | 0x3b227f0000 | 0x3b227f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000003b22800000 | 0x3b22800000 | 0x3b22801fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x3b22810000 | 0x3b228cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003b228d0000 | 0x3b228d0000 | 0x3b2294ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b22950000 | 0x3b22950000 | 0x3b22956fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x3b22960000 | 0x3b22962fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x3b22970000 | 0x3b229a1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000003b229b0000 | 0x3b229b0000 | 0x3b22aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000003b22ca0000 | 0x3b22ca0000 | 0x3b22caffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffd40000 | 0x7df5ffd40000 | 0x7ff5ffd3ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648b10000 | 0x7ff648b10000 | 0x7ff648c0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648c10000 | 0x7ff648c10000 | 0x7ff648c32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff648c3b000 | 0x7ff648c3b000 | 0x7ff648c3cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648c3d000 | 0x7ff648c3d000 | 0x7ff648c3efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648c3f000 | 0x7ff648c3f000 | 0x7ff648c3ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50da0000 | 0x7ffc50db3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x3b22960000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #39: net.exe
0
0
| Information | Value |
|---|---|
| ID | #39 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:55, Reason: Child Process |
| Unmonitor | End Time: 00:01:59, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x10dc |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
10E0
0x
116C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000ff8f7f0000 | 0xff8f7f0000 | 0xff8f80ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ff8f7f0000 | 0xff8f7f0000 | 0xff8f7fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000ff8f810000 | 0xff8f810000 | 0xff8f823fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ff8f830000 | 0xff8f830000 | 0xff8f8affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ff8f8b0000 | 0xff8f8b0000 | 0xff8f8b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ff8f8c0000 | 0xff8f8c0000 | 0xff8f8c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ff8f8d0000 | 0xff8f8d0000 | 0xff8f8d1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xff8f8e0000 | 0xff8f99dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ff8fa60000 | 0xff8fa60000 | 0xff8fb5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffa10000 | 0x7df5ffa10000 | 0x7ff5ffa0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7c9e40000 | 0x7ff7c9e40000 | 0x7ff7c9f3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7c9f40000 | 0x7ff7c9f40000 | 0x7ff7c9f62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7c9f69000 | 0x7ff7c9f69000 | 0x7ff7c9f69fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c9f6e000 | 0x7ff7c9f6e000 | 0x7ff7c9f6ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #41: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #41 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:59, Reason: Child Process |
| Unmonitor | End Time: 00:02:00, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1170 |
| Parent PID | 0x10dc (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1174
0x
1178
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000062817c0000 | 0x62817c0000 | 0x62817dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000062817c0000 | 0x62817c0000 | 0x62817cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000062817d0000 | 0x62817d0000 | 0x62817d6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000062817e0000 | 0x62817e0000 | 0x62817f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006281800000 | 0x6281800000 | 0x628187ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006281880000 | 0x6281880000 | 0x6281883fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000006281890000 | 0x6281890000 | 0x6281890fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000062818a0000 | 0x62818a0000 | 0x62818a1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000062818b0000 | 0x62818b0000 | 0x62818b6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x62818c0000 | 0x62818c2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000062818e0000 | 0x62818e0000 | 0x62819dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x62819e0000 | 0x6281a9dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000006281aa0000 | 0x6281aa0000 | 0x6281b1ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x6281b20000 | 0x6281b51fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000006281ba0000 | 0x6281ba0000 | 0x6281baffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff980000 | 0x7df5ff980000 | 0x7ff5ff97ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648100000 | 0x7ff648100000 | 0x7ff6481fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648200000 | 0x7ff648200000 | 0x7ff648222fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff648227000 | 0x7ff648227000 | 0x7ff648227fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64822c000 | 0x7ff64822c000 | 0x7ff64822dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64822e000 | 0x7ff64822e000 | 0x7ff64822ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50da0000 | 0x7ffc50db3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x62818c0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #42: werfault.exe
0
0
| Information | Value |
|---|---|
| ID | #42 |
| File Name | c:\windows\system32\werfault.exe |
| Command Line | C:\Windows\system32\WerFault.exe -u -p 3236 -s 624 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:59, Reason: Child Process |
| Unmonitor | End Time: 00:02:32, Reason: Self Terminated |
| Monitor Duration | 00:00:33 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x118c |
| Parent PID | 0xca4 (c:\windows\system32\backgroundtaskhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
1190
0x
119C
0x
1234
0x
1238
0x
123C
0x
1240
0x
858
0x
1C6C
0x
1E48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000007859e0000 | 0x7859e0000 | 0x7859fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000007859e0000 | 0x7859e0000 | 0x7859effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000007859f0000 | 0x7859f0000 | 0x7859f6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000785a00000 | 0x785a00000 | 0x785a13fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000785a20000 | 0x785a20000 | 0x785a9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000785aa0000 | 0x785aa0000 | 0x785aa3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000785ab0000 | 0x785ab0000 | 0x785ab2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000785ac0000 | 0x785ac0000 | 0x785ac1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x785ad0000 | 0x785b8dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000785b90000 | 0x785b90000 | 0x785c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000785c10000 | 0x785c10000 | 0x785d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000785d10000 | 0x785d10000 | 0x785d16fff | Private Memory | rw |
|
|
|
- |
| werfault.exe.mui | 0x785d20000 | 0x785d23fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000785d30000 | 0x785d30000 | 0x785d30fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000785d40000 | 0x785d40000 | 0x785d40fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000785d50000 | 0x785d50000 | 0x785d50fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000785d60000 | 0x785d60000 | 0x785d60fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000785d70000 | 0x785d70000 | 0x785d70fff | Pagefile Backed Memory | r |
|
|
|
- |
| ntdll.dll.mui | 0x785d80000 | 0x785de5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000785df0000 | 0x785df0000 | 0x785dfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000785e00000 | 0x785e00000 | 0x785f87fff | Pagefile Backed Memory | r |
|
|
|
- |
| faultrep.dll.mui | 0x785f90000 | 0x785f91fff | Memory Mapped File | r |
|
|
|
- |
| wer.dll.mui | 0x785fa0000 | 0x785fa2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000785fb0000 | 0x785fb0000 | 0x785fb6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000785fc0000 | 0x785fc0000 | 0x785fcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000785fd0000 | 0x785fd0000 | 0x786150fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000786160000 | 0x786160000 | 0x78755ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000787560000 | 0x787560000 | 0x7875dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000007875e0000 | 0x7875e0000 | 0x78765ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000787660000 | 0x787660000 | 0x787661fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000787670000 | 0x787670000 | 0x787671fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000787680000 | 0x787680000 | 0x787680fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000787690000 | 0x787690000 | 0x787691fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000007876a0000 | 0x7876a0000 | 0x7876c9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000007876d0000 | 0x7876d0000 | 0x7876dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x7876e0000 | 0x787a16fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000787a20000 | 0x787a20000 | 0x787a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000787aa0000 | 0x787aa0000 | 0x787b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000787b20000 | 0x787b20000 | 0x787c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000787c20000 | 0x787c20000 | 0x787d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000787d20000 | 0x787d20000 | 0x787e1ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x787e20000 | 0x787efefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000787f00000 | 0x787f00000 | 0x787ffffff | Private Memory | rw |
|
|
|
- |
| winnlsres.dll | 0x788000000 | 0x788004fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0x788010000 | 0x78801ffff | Memory Mapped File | r |
|
|
|
- |
| mswsock.dll.mui | 0x788020000 | 0x788022fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000788030000 | 0x788030000 | 0x788031fff | Pagefile Backed Memory | rw |
|
|
|
- |
| crypt32.dll.mui | 0x788040000 | 0x788049fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000788050000 | 0x788050000 | 0x7880cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000007880d0000 | 0x7880d0000 | 0x7882cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffc60000 | 0x7df5ffc60000 | 0x7ff5ffc5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff738fbc000 | 0x7ff738fbc000 | 0x7ff738fbdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff738fbe000 | 0x7ff738fbe000 | 0x7ff738fbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff738fc0000 | 0x7ff738fc0000 | 0x7ff7390bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7390c0000 | 0x7ff7390c0000 | 0x7ff7390e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7390e4000 | 0x7ff7390e4000 | 0x7ff7390e5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7390e6000 | 0x7ff7390e6000 | 0x7ff7390e7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7390e8000 | 0x7ff7390e8000 | 0x7ff7390e8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7390ea000 | 0x7ff7390ea000 | 0x7ff7390ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7390ec000 | 0x7ff7390ec000 | 0x7ff7390edfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7390ee000 | 0x7ff7390ee000 | 0x7ff7390effff | Private Memory | rw |
|
|
|
- |
| werfault.exe | 0x7ff739e30000 | 0x7ff739e7afff | Memory Mapped File | rwx |
|
|
|
- |
| dbgeng.dll | 0x7ffc3e090000 | 0x7ffc3e56bfff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ffc3e820000 | 0x7ffc3e9cffff | Memory Mapped File | rwx |
|
|
|
- |
| dbgmodel.dll | 0x7ffc3f110000 | 0x7ffc3f1a0fff | Memory Mapped File | rwx |
|
|
|
- |
| wer.dll | 0x7ffc3fb50000 | 0x7ffc3fbedfff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x7ffc3fe00000 | 0x7ffc3ff89fff | Memory Mapped File | rwx |
|
|
|
- |
| mskeyprotect.dll | 0x7ffc42390000 | 0x7ffc423a3fff | Memory Mapped File | rwx |
|
|
|
- |
| ncryptsslp.dll | 0x7ffc42440000 | 0x7ffc4245efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.security.authentication.onlineid.dll | 0x7ffc44de0000 | 0x7ffc44e92fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptnet.dll | 0x7ffc48f00000 | 0x7ffc48f2efff | Memory Mapped File | rwx |
|
|
|
- |
| werui.dll | 0x7ffc48f70000 | 0x7ffc48fe3fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffc48ff0000 | 0x7ffc49459fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x7ffc4a100000 | 0x7ffc4a17ffff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ffc4b090000 | 0x7ffc4b09dfff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ffc4b6e0000 | 0x7ffc4b6ebfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffc4b890000 | 0x7ffc4b899fff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x7ffc4b8c0000 | 0x7ffc4b8d4fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ffc4c220000 | 0x7ffc4c25efff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7ffc4c270000 | 0x7ffc4c279fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| dbgcore.dll | 0x7ffc4d190000 | 0x7ffc4d1b4fff | Memory Mapped File | rwx |
|
|
|
- |
| faultrep.dll | 0x7ffc4d1c0000 | 0x7ffc4d21dfff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ffc4d9d0000 | 0x7ffc4daa5fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ffc50980000 | 0x7ffc509e7fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ffc50a50000 | 0x7ffc50a69fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ffc50a70000 | 0x7ffc50a85fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ffc52f40000 | 0x7ffc5302dfff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ffc534a0000 | 0x7ffc534c2fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffc53920000 | 0x7ffc53951fff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x7ffc53980000 | 0x7ffc539f3fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ffc53be0000 | 0x7ffc53c87fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffc53dd0000 | 0x7ffc53e2cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntasn1.dll | 0x7ffc53f30000 | 0x7ffc53f65fff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x7ffc53f70000 | 0x7ffc53f95fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x7ffc541f0000 | 0x7ffc541f9fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7ffc55220000 | 0x7ffc5527afff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffc57900000 | 0x7ffc57968fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #43: werfault.exe
0
0
| Information | Value |
|---|---|
| ID | #43 |
| File Name | c:\windows\system32\werfault.exe |
| Command Line | C:\Windows\system32\WerFault.exe -u -p 2212 -s 776 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:59, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Self Terminated |
| Monitor Duration | 00:00:34 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1194 |
| Parent PID | 0x8a4 (c:\windows\system32\backgroundtaskhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
1198
0x
11A0
0x
1244
0x
1248
0x
124C
0x
1250
0x
13E0
0x
1C98
0x
1E6C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000008af12c0000 | 0x8af12c0000 | 0x8af12dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008af12c0000 | 0x8af12c0000 | 0x8af12cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000008af12d0000 | 0x8af12d0000 | 0x8af12d6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008af12e0000 | 0x8af12e0000 | 0x8af12f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008af1300000 | 0x8af1300000 | 0x8af137ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008af1380000 | 0x8af1380000 | 0x8af1383fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008af1390000 | 0x8af1390000 | 0x8af1392fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008af13a0000 | 0x8af13a0000 | 0x8af13a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x8af13b0000 | 0x8af146dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008af1470000 | 0x8af1470000 | 0x8af14effff | Private Memory | rw |
|
|
|
- |
| private_0x0000008af14f0000 | 0x8af14f0000 | 0x8af14f6fff | Private Memory | rw |
|
|
|
- |
| werfault.exe.mui | 0x8af1500000 | 0x8af1503fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008af1510000 | 0x8af1510000 | 0x8af151ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008af1520000 | 0x8af1520000 | 0x8af1520fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008af1530000 | 0x8af1530000 | 0x8af1530fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008af1540000 | 0x8af1540000 | 0x8af1540fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000008af1550000 | 0x8af1550000 | 0x8af155ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008af1560000 | 0x8af1560000 | 0x8af1560fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008af1570000 | 0x8af1570000 | 0x8af1570fff | Pagefile Backed Memory | r |
|
|
|
- |
| faultrep.dll.mui | 0x8af1580000 | 0x8af1581fff | Memory Mapped File | r |
|
|
|
- |
| wer.dll.mui | 0x8af1590000 | 0x8af1592fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008af15a0000 | 0x8af15a0000 | 0x8af169ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008af16a0000 | 0x8af16a0000 | 0x8af171ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008af1720000 | 0x8af1720000 | 0x8af1726fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008af1730000 | 0x8af1730000 | 0x8af1731fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008af1740000 | 0x8af1740000 | 0x8af1741fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008af1750000 | 0x8af1750000 | 0x8af1750fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000008af1760000 | 0x8af1760000 | 0x8af1761fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008af1770000 | 0x8af1770000 | 0x8af177ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008af1780000 | 0x8af1780000 | 0x8af1907fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008af1910000 | 0x8af1910000 | 0x8af1a90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008af1aa0000 | 0x8af1aa0000 | 0x8af2e9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x8af2ea0000 | 0x8af31d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008af31e0000 | 0x8af31e0000 | 0x8af325ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008af3260000 | 0x8af3260000 | 0x8af32dffff | Private Memory | rw |
|
|
|
- |
| ntdll.dll.mui | 0x8af32e0000 | 0x8af3345fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008af3350000 | 0x8af3350000 | 0x8af33cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008af33d0000 | 0x8af33d0000 | 0x8af34cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008af34d0000 | 0x8af34d0000 | 0x8af35cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008af35d0000 | 0x8af35d0000 | 0x8af36cffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x8af36d0000 | 0x8af37aefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008af37b0000 | 0x8af37b0000 | 0x8af38affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008af38b0000 | 0x8af38b0000 | 0x8af38d9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| winnlsres.dll | 0x8af38e0000 | 0x8af38e4fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0x8af38f0000 | 0x8af38fffff | Memory Mapped File | r |
|
|
|
- |
| mswsock.dll.mui | 0x8af3900000 | 0x8af3902fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000008af3910000 | 0x8af3910000 | 0x8af3911fff | Pagefile Backed Memory | rw |
|
|
|
- |
| crypt32.dll.mui | 0x8af3920000 | 0x8af3929fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008af3930000 | 0x8af3930000 | 0x8af39affff | Private Memory | rw |
|
|
|
- |
| private_0x0000008af39b0000 | 0x8af39b0000 | 0x8af3baffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff600000 | 0x7df5ff600000 | 0x7ff5ff5fffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff738f0e000 | 0x7ff738f0e000 | 0x7ff738f0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff738f10000 | 0x7ff738f10000 | 0x7ff73900ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff739010000 | 0x7ff739010000 | 0x7ff739032fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff739033000 | 0x7ff739033000 | 0x7ff739034fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff739035000 | 0x7ff739035000 | 0x7ff739036fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff739037000 | 0x7ff739037000 | 0x7ff739038fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff739039000 | 0x7ff739039000 | 0x7ff739039fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff73903a000 | 0x7ff73903a000 | 0x7ff73903bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff73903c000 | 0x7ff73903c000 | 0x7ff73903dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff73903e000 | 0x7ff73903e000 | 0x7ff73903ffff | Private Memory | rw |
|
|
|
- |
| werfault.exe | 0x7ff739e30000 | 0x7ff739e7afff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ffc3e820000 | 0x7ffc3e9cffff | Memory Mapped File | rwx |
|
|
|
- |
| wer.dll | 0x7ffc3fb50000 | 0x7ffc3fbedfff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x7ffc3fe00000 | 0x7ffc3ff89fff | Memory Mapped File | rwx |
|
|
|
- |
| mskeyprotect.dll | 0x7ffc42390000 | 0x7ffc423a3fff | Memory Mapped File | rwx |
|
|
|
- |
| ncryptsslp.dll | 0x7ffc42440000 | 0x7ffc4245efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.security.authentication.onlineid.dll | 0x7ffc44de0000 | 0x7ffc44e92fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptnet.dll | 0x7ffc48f00000 | 0x7ffc48f2efff | Memory Mapped File | rwx |
|
|
|
- |
| werui.dll | 0x7ffc48f70000 | 0x7ffc48fe3fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffc48ff0000 | 0x7ffc49459fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x7ffc4a100000 | 0x7ffc4a17ffff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ffc4b090000 | 0x7ffc4b09dfff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ffc4b6e0000 | 0x7ffc4b6ebfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffc4b890000 | 0x7ffc4b899fff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x7ffc4b8c0000 | 0x7ffc4b8d4fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ffc4c220000 | 0x7ffc4c25efff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7ffc4c270000 | 0x7ffc4c279fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| dbgcore.dll | 0x7ffc4d190000 | 0x7ffc4d1b4fff | Memory Mapped File | rwx |
|
|
|
- |
| faultrep.dll | 0x7ffc4d1c0000 | 0x7ffc4d21dfff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ffc4d9d0000 | 0x7ffc4daa5fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ffc50980000 | 0x7ffc509e7fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ffc50a50000 | 0x7ffc50a69fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ffc50a70000 | 0x7ffc50a85fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ffc52f40000 | 0x7ffc5302dfff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ffc534a0000 | 0x7ffc534c2fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffc53920000 | 0x7ffc53951fff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x7ffc53980000 | 0x7ffc539f3fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ffc53be0000 | 0x7ffc53c87fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffc53dd0000 | 0x7ffc53e2cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntasn1.dll | 0x7ffc53f30000 | 0x7ffc53f65fff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x7ffc53f70000 | 0x7ffc53f95fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x7ffc541f0000 | 0x7ffc541f9fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7ffc55220000 | 0x7ffc5527afff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffc57900000 | 0x7ffc57968fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #44: werfault.exe
0
0
| Information | Value |
|---|---|
| ID | #44 |
| File Name | c:\windows\system32\werfault.exe |
| Command Line | C:\Windows\system32\WerFault.exe -u -p 2532 -s 3256 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:02, Reason: Child Process |
| Unmonitor | End Time: 00:02:31, Reason: Self Terminated |
| Monitor Duration | 00:00:29 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1294 |
| Parent PID | 0x9e4 (c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
1298
0x
129C
0x
139C
0x
13A4
0x
13A8
0x
13B0
0x
1498
0x
1C9C
0x
1E4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000000100000000 | 0x100000000 | 0x10001ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000100000000 | 0x100000000 | 0x10000ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000100010000 | 0x100010000 | 0x100016fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000100020000 | 0x100020000 | 0x100033fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000100040000 | 0x100040000 | 0x1000bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000001000c0000 | 0x1000c0000 | 0x1000c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000001000d0000 | 0x1000d0000 | 0x1000d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000001000e0000 | 0x1000e0000 | 0x1000e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000001000f0000 | 0x1000f0000 | 0x10016ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000100170000 | 0x100170000 | 0x100176fff | Private Memory | rw |
|
|
|
- |
| werfault.exe.mui | 0x100180000 | 0x100183fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000100190000 | 0x100190000 | 0x10028ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x100290000 | 0x10034dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000100350000 | 0x100350000 | 0x100350fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000100360000 | 0x100360000 | 0x100360fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000100370000 | 0x100370000 | 0x100370fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000100380000 | 0x100380000 | 0x100380fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000100390000 | 0x100390000 | 0x100390fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000001003a0000 | 0x1003a0000 | 0x1003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000001003b0000 | 0x1003b0000 | 0x10042ffff | Private Memory | rw |
|
|
|
- |
| faultrep.dll.mui | 0x100430000 | 0x100431fff | Memory Mapped File | r |
|
|
|
- |
| wer.dll.mui | 0x100440000 | 0x100442fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000100450000 | 0x100450000 | 0x100456fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000100460000 | 0x100460000 | 0x100461fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000100470000 | 0x100470000 | 0x100471fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000100480000 | 0x100480000 | 0x10048ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000100490000 | 0x100490000 | 0x100617fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000100620000 | 0x100620000 | 0x1007a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000001007b0000 | 0x1007b0000 | 0x101baffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000101bb0000 | 0x101bb0000 | 0x101c2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000101c30000 | 0x101c30000 | 0x101c30fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000101c40000 | 0x101c40000 | 0x101c41fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000101c50000 | 0x101c50000 | 0x101c79fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000101c80000 | 0x101c80000 | 0x101c8ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x101c90000 | 0x101fc6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000101fd0000 | 0x101fd0000 | 0x10204ffff | Private Memory | rw |
|
|
|
- |
| ntdll.dll.mui | 0x102050000 | 0x1020b5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000001020c0000 | 0x1020c0000 | 0x10213ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000102140000 | 0x102140000 | 0x10223ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000102240000 | 0x102240000 | 0x10233ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000102340000 | 0x102340000 | 0x10243ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000102440000 | 0x102440000 | 0x10263ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x102640000 | 0x10271efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000102720000 | 0x102720000 | 0x10281ffff | Private Memory | rw |
|
|
|
- |
| winnlsres.dll | 0x102820000 | 0x102824fff | Memory Mapped File | r |
|
|
|
- |
| winnlsres.dll.mui | 0x102830000 | 0x10283ffff | Memory Mapped File | r |
|
|
|
- |
| mswsock.dll.mui | 0x102840000 | 0x102842fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000102850000 | 0x102850000 | 0x102851fff | Pagefile Backed Memory | rw |
|
|
|
- |
| crypt32.dll.mui | 0x102860000 | 0x102869fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000102870000 | 0x102870000 | 0x1028effff | Private Memory | rw |
|
|
|
- |
| private_0x00000001028f0000 | 0x1028f0000 | 0x10296ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffe10000 | 0x7df5ffe10000 | 0x7ff5ffe0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff73921c000 | 0x7ff73921c000 | 0x7ff73921dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff73921e000 | 0x7ff73921e000 | 0x7ff73921ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff739220000 | 0x7ff739220000 | 0x7ff73931ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff739320000 | 0x7ff739320000 | 0x7ff739342fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff739343000 | 0x7ff739343000 | 0x7ff739344fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff739345000 | 0x7ff739345000 | 0x7ff739345fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff739346000 | 0x7ff739346000 | 0x7ff739347fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff739348000 | 0x7ff739348000 | 0x7ff739349fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff73934a000 | 0x7ff73934a000 | 0x7ff73934bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff73934c000 | 0x7ff73934c000 | 0x7ff73934dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff73934e000 | 0x7ff73934e000 | 0x7ff73934ffff | Private Memory | rw |
|
|
|
- |
| werfault.exe | 0x7ff739e30000 | 0x7ff739e7afff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ffc3e820000 | 0x7ffc3e9cffff | Memory Mapped File | rwx |
|
|
|
- |
| wer.dll | 0x7ffc3fb50000 | 0x7ffc3fbedfff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x7ffc3fe00000 | 0x7ffc3ff89fff | Memory Mapped File | rwx |
|
|
|
- |
| mskeyprotect.dll | 0x7ffc42390000 | 0x7ffc423a3fff | Memory Mapped File | rwx |
|
|
|
- |
| ncryptsslp.dll | 0x7ffc42440000 | 0x7ffc4245efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.security.authentication.onlineid.dll | 0x7ffc44de0000 | 0x7ffc44e92fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptnet.dll | 0x7ffc48f00000 | 0x7ffc48f2efff | Memory Mapped File | rwx |
|
|
|
- |
| werui.dll | 0x7ffc48f70000 | 0x7ffc48fe3fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ffc48ff0000 | 0x7ffc49459fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x7ffc4a100000 | 0x7ffc4a17ffff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7ffc4b090000 | 0x7ffc4b09dfff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7ffc4b6e0000 | 0x7ffc4b6ebfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ffc4b890000 | 0x7ffc4b899fff | Memory Mapped File | rwx |
|
|
|
- |
| ondemandconnroutehelper.dll | 0x7ffc4b8c0000 | 0x7ffc4b8d4fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7ffc4c220000 | 0x7ffc4c25efff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7ffc4c270000 | 0x7ffc4c279fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ffc4cbd0000 | 0x7ffc4ce43fff | Memory Mapped File | rwx |
|
|
|
- |
| dbgcore.dll | 0x7ffc4d190000 | 0x7ffc4d1b4fff | Memory Mapped File | rwx |
|
|
|
- |
| faultrep.dll | 0x7ffc4d1c0000 | 0x7ffc4d21dfff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x7ffc4d9d0000 | 0x7ffc4daa5fff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x7ffc4fb00000 | 0x7ffc4fb35fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7ffc50980000 | 0x7ffc509e7fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7ffc50a50000 | 0x7ffc50a69fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7ffc50a70000 | 0x7ffc50a85fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7ffc51c30000 | 0x7ffc51c3afff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7ffc51c50000 | 0x7ffc51c87fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ffc52d70000 | 0x7ffc52e05fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7ffc52ef0000 | 0x7ffc52f16fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ffc52f40000 | 0x7ffc5302dfff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x7ffc534a0000 | 0x7ffc534c2fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7ffc53920000 | 0x7ffc53951fff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x7ffc53980000 | 0x7ffc539f3fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ffc53a90000 | 0x7ffc53ac2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ffc53b80000 | 0x7ffc53b9efff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x7ffc53be0000 | 0x7ffc53c87fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x7ffc53dd0000 | 0x7ffc53e2cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntasn1.dll | 0x7ffc53f30000 | 0x7ffc53f65fff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x7ffc53f70000 | 0x7ffc53f95fff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x7ffc541f0000 | 0x7ffc541f9fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ffc54210000 | 0x7ffc54226fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ffc54280000 | 0x7ffc5428afff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7ffc54320000 | 0x7ffc5434bfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc543d0000 | 0x7ffc5443afff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ffc54580000 | 0x7ffc54592fff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ffc545a0000 | 0x7ffc545e9fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7ffc545f0000 | 0x7ffc54600fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc54610000 | 0x7ffc5461efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ffc54620000 | 0x7ffc54663fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ffc54670000 | 0x7ffc54c97fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7ffc54db0000 | 0x7ffc54f70fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ffc54f80000 | 0x7ffc55032fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7ffc55220000 | 0x7ffc5527afff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ffc55280000 | 0x7ffc552b5fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ffc55380000 | 0x7ffc554dbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ffc554e0000 | 0x7ffc5562dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ffc55910000 | 0x7ffc559cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ffc559d0000 | 0x7ffc56ef4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7ffc56f00000 | 0x7ffc56f07fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ffc56f10000 | 0x7ffc57094fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ffc571d0000 | 0x7ffc5744bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ffc57750000 | 0x7ffc57890fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ffc578a0000 | 0x7ffc578f0fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7ffc57900000 | 0x7ffc57968fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ffc57970000 | 0x7ffc57a14fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ffc57aa0000 | 0x7ffc57b45fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #45: net.exe
0
0
| Information | Value |
|---|---|
| ID | #45 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:06, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x138c |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1390
0x
10D0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000d74bfa0000 | 0xd74bfa0000 | 0xd74bfbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d74bfa0000 | 0xd74bfa0000 | 0xd74bfaffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000d74bfc0000 | 0xd74bfc0000 | 0xd74bfd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d74bfe0000 | 0xd74bfe0000 | 0xd74c05ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d74c060000 | 0xd74c060000 | 0xd74c063fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d74c070000 | 0xd74c070000 | 0xd74c070fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d74c080000 | 0xd74c080000 | 0xd74c081fff | Private Memory | rw |
|
|
|
- |
| private_0x000000d74c0b0000 | 0xd74c0b0000 | 0xd74c1affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xd74c1b0000 | 0xd74c26dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff670000 | 0x7df5ff670000 | 0x7ff5ff66ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7c9f20000 | 0x7ff7c9f20000 | 0x7ff7ca01ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7ca020000 | 0x7ff7ca020000 | 0x7ff7ca042fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca044000 | 0x7ff7ca044000 | 0x7ff7ca044fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca04e000 | 0x7ff7ca04e000 | 0x7ff7ca04ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #47: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #47 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:05, Reason: Child Process |
| Unmonitor | End Time: 00:02:06, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x10ac |
| Parent PID | 0x138c (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1174
0x
1164
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000bfb1a20000 | 0xbfb1a20000 | 0xbfb1a3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000bfb1a20000 | 0xbfb1a20000 | 0xbfb1a2ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000bfb1a30000 | 0xbfb1a30000 | 0xbfb1a36fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000bfb1a40000 | 0xbfb1a40000 | 0xbfb1a53fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000bfb1a60000 | 0xbfb1a60000 | 0xbfb1adffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000bfb1ae0000 | 0xbfb1ae0000 | 0xbfb1ae3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000bfb1af0000 | 0xbfb1af0000 | 0xbfb1af0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000bfb1b00000 | 0xbfb1b00000 | 0xbfb1b01fff | Private Memory | rw |
|
|
|
- |
| private_0x000000bfb1b10000 | 0xbfb1b10000 | 0xbfb1b16fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xbfb1b20000 | 0xbfb1b22fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0xbfb1b30000 | 0xbfb1b61fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000bfb1b70000 | 0xbfb1b70000 | 0xbfb1c6ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xbfb1c70000 | 0xbfb1d2dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000bfb1d30000 | 0xbfb1d30000 | 0xbfb1daffff | Private Memory | rw |
|
|
|
- |
| private_0x000000bfb1eb0000 | 0xbfb1eb0000 | 0xbfb1ebffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff360000 | 0x7df5ff360000 | 0x7ff5ff35ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648520000 | 0x7ff648520000 | 0x7ff64861ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648620000 | 0x7ff648620000 | 0x7ff648642fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff64864a000 | 0x7ff64864a000 | 0x7ff64864bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64864c000 | 0x7ff64864c000 | 0x7ff64864cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64864e000 | 0x7ff64864e000 | 0x7ff64864ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50da0000 | 0x7ffc50db3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xbfb1b20000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #48: net.exe
0
0
| Information | Value |
|---|---|
| ID | #48 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:06, Reason: Child Process |
| Unmonitor | End Time: 00:02:07, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1450 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1454
0x
146C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000093ed1d0000 | 0x93ed1d0000 | 0x93ed1effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000093ed1d0000 | 0x93ed1d0000 | 0x93ed1dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000093ed1f0000 | 0x93ed1f0000 | 0x93ed203fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000093ed210000 | 0x93ed210000 | 0x93ed28ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000093ed290000 | 0x93ed290000 | 0x93ed293fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000093ed2a0000 | 0x93ed2a0000 | 0x93ed2a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000093ed2b0000 | 0x93ed2b0000 | 0x93ed2b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000093ed320000 | 0x93ed320000 | 0x93ed41ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x93ed420000 | 0x93ed4ddfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff600000 | 0x7df5ff600000 | 0x7ff5ff5fffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7c9e70000 | 0x7ff7c9e70000 | 0x7ff7c9f6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7c9f70000 | 0x7ff7c9f70000 | 0x7ff7c9f92fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7c9f95000 | 0x7ff7c9f95000 | 0x7ff7c9f95fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c9f9e000 | 0x7ff7c9f9e000 | 0x7ff7c9f9ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #50: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #50 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:06, Reason: Child Process |
| Unmonitor | End Time: 00:02:07, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1470 |
| Parent PID | 0x1450 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1474
0x
1478
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000bbca9c0000 | 0xbbca9c0000 | 0xbbca9dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000bbca9c0000 | 0xbbca9c0000 | 0xbbca9cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000bbca9d0000 | 0xbbca9d0000 | 0xbbca9d6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000bbca9e0000 | 0xbbca9e0000 | 0xbbca9f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000bbcaa00000 | 0xbbcaa00000 | 0xbbcaa7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000bbcaa80000 | 0xbbcaa80000 | 0xbbcaa83fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000bbcaa90000 | 0xbbcaa90000 | 0xbbcaa90fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000bbcaaa0000 | 0xbbcaaa0000 | 0xbbcaaa1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xbbcaab0000 | 0xbbcab6dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000bbcab70000 | 0xbbcab70000 | 0xbbcab76fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xbbcab80000 | 0xbbcab82fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000bbcab90000 | 0xbbcab90000 | 0xbbcac8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000bbcac90000 | 0xbbcac90000 | 0xbbcad0ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0xbbcad10000 | 0xbbcad41fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000bbcae30000 | 0xbbcae30000 | 0xbbcae3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff940000 | 0x7df5ff940000 | 0x7ff5ff93ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648610000 | 0x7ff648610000 | 0x7ff64870ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648710000 | 0x7ff648710000 | 0x7ff648732fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff648733000 | 0x7ff648733000 | 0x7ff648733fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64873c000 | 0x7ff64873c000 | 0x7ff64873dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64873e000 | 0x7ff64873e000 | 0x7ff64873ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50da0000 | 0x7ffc50db3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xbbcab80000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #51: net.exe
0
0
| Information | Value |
|---|---|
| ID | #51 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x17c8 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
17CC
0x
186C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000408ee70000 | 0x408ee70000 | 0x408ee8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000408ee70000 | 0x408ee70000 | 0x408ee7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000408ee90000 | 0x408ee90000 | 0x408eea3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000408eeb0000 | 0x408eeb0000 | 0x408ef2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000408ef30000 | 0x408ef30000 | 0x408ef33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000408ef40000 | 0x408ef40000 | 0x408ef40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000408ef50000 | 0x408ef50000 | 0x408ef51fff | Private Memory | rw |
|
|
|
- |
| private_0x000000408efb0000 | 0x408efb0000 | 0x408f0affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x408f0b0000 | 0x408f16dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff810000 | 0x7df5ff810000 | 0x7ff5ff80ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7c9e20000 | 0x7ff7c9e20000 | 0x7ff7c9f1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7c9f20000 | 0x7ff7c9f20000 | 0x7ff7c9f42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7c9f4c000 | 0x7ff7c9f4c000 | 0x7ff7c9f4cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c9f4e000 | 0x7ff7c9f4e000 | 0x7ff7c9f4ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #53: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #53 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:16, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1890 |
| Parent PID | 0x17c8 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1894
0x
1908
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000b4f3f00000 | 0xb4f3f00000 | 0xb4f3f1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b4f3f00000 | 0xb4f3f00000 | 0xb4f3f0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b4f3f10000 | 0xb4f3f10000 | 0xb4f3f16fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b4f3f20000 | 0xb4f3f20000 | 0xb4f3f33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b4f3f40000 | 0xb4f3f40000 | 0xb4f3fbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b4f3fc0000 | 0xb4f3fc0000 | 0xb4f3fc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b4f3fd0000 | 0xb4f3fd0000 | 0xb4f3fd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b4f3fe0000 | 0xb4f3fe0000 | 0xb4f3fe1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b4f3ff0000 | 0xb4f3ff0000 | 0xb4f3ff6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xb4f4000000 | 0xb4f4002fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000b4f4030000 | 0xb4f4030000 | 0xb4f412ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xb4f4130000 | 0xb4f41edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b4f41f0000 | 0xb4f41f0000 | 0xb4f426ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0xb4f4270000 | 0xb4f42a1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b4f43a0000 | 0xb4f43a0000 | 0xb4f43affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff170000 | 0x7df5ff170000 | 0x7ff5ff16ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6484a0000 | 0x7ff6484a0000 | 0x7ff64859ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6485a0000 | 0x7ff6485a0000 | 0x7ff6485c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6485c8000 | 0x7ff6485c8000 | 0x7ff6485c8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6485cc000 | 0x7ff6485cc000 | 0x7ff6485cdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6485ce000 | 0x7ff6485ce000 | 0x7ff6485cffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc4d480000 | 0x7ffc4d493fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xb4f4000000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #54: net.exe
0
0
| Information | Value |
|---|---|
| ID | #54 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:17, Reason: Child Process |
| Unmonitor | End Time: 00:02:18, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1944 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1948
0x
19A8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000b1ef020000 | 0xb1ef020000 | 0xb1ef03ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b1ef020000 | 0xb1ef020000 | 0xb1ef02ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b1ef040000 | 0xb1ef040000 | 0xb1ef053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b1ef060000 | 0xb1ef060000 | 0xb1ef0dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b1ef0e0000 | 0xb1ef0e0000 | 0xb1ef0e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b1ef0f0000 | 0xb1ef0f0000 | 0xb1ef0f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b1ef100000 | 0xb1ef100000 | 0xb1ef101fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xb1ef110000 | 0xb1ef1cdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b1ef1e0000 | 0xb1ef1e0000 | 0xb1ef2dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff7a0000 | 0x7df5ff7a0000 | 0x7ff5ff79ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca1d0000 | 0x7ff7ca1d0000 | 0x7ff7ca2cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7ca2d0000 | 0x7ff7ca2d0000 | 0x7ff7ca2f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca2f5000 | 0x7ff7ca2f5000 | 0x7ff7ca2f5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca2fe000 | 0x7ff7ca2fe000 | 0x7ff7ca2fffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #56: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #56 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x19c4 |
| Parent PID | 0x1944 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
19C8
0x
19CC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000004d79c70000 | 0x4d79c70000 | 0x4d79c8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004d79c70000 | 0x4d79c70000 | 0x4d79c7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000004d79c80000 | 0x4d79c80000 | 0x4d79c86fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004d79c90000 | 0x4d79c90000 | 0x4d79ca3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004d79cb0000 | 0x4d79cb0000 | 0x4d79d2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004d79d30000 | 0x4d79d30000 | 0x4d79d33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004d79d40000 | 0x4d79d40000 | 0x4d79d40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004d79d50000 | 0x4d79d50000 | 0x4d79d51fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x4d79d60000 | 0x4d79e1dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004d79e20000 | 0x4d79e20000 | 0x4d79e26fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x4d79e30000 | 0x4d79e32fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x4d79e40000 | 0x4d79e71fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004d79e90000 | 0x4d79e90000 | 0x4d79f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004d79f90000 | 0x4d79f90000 | 0x4d7a00ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004d7a080000 | 0x4d7a080000 | 0x4d7a08ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff0b0000 | 0x7df5ff0b0000 | 0x7ff5ff0affff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648a90000 | 0x7ff648a90000 | 0x7ff648b8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648b90000 | 0x7ff648b90000 | 0x7ff648bb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff648bb8000 | 0x7ff648bb8000 | 0x7ff648bb8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648bbc000 | 0x7ff648bbc000 | 0x7ff648bbdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648bbe000 | 0x7ff648bbe000 | 0x7ff648bbffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc4d480000 | 0x7ffc4d493fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x4d79e30000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #57: net.exe
0
0
| Information | Value |
|---|---|
| ID | #57 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:27, Reason: Child Process |
| Unmonitor | End Time: 00:02:32, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1ef8 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1EFC
0x
2014
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000009acd0e0000 | 0x9acd0e0000 | 0x9acd0fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000009acd0e0000 | 0x9acd0e0000 | 0x9acd0effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000009acd100000 | 0x9acd100000 | 0x9acd113fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000009acd120000 | 0x9acd120000 | 0x9acd19ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000009acd1a0000 | 0x9acd1a0000 | 0x9acd1a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000009acd1b0000 | 0x9acd1b0000 | 0x9acd1b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000009acd1c0000 | 0x9acd1c0000 | 0x9acd1c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x9acd1d0000 | 0x9acd28dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000009acd350000 | 0x9acd350000 | 0x9acd44ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff640000 | 0x7df5ff640000 | 0x7ff5ff63ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca470000 | 0x7ff7ca470000 | 0x7ff7ca56ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7ca570000 | 0x7ff7ca570000 | 0x7ff7ca592fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca59d000 | 0x7ff7ca59d000 | 0x7ff7ca59efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca59f000 | 0x7ff7ca59f000 | 0x7ff7ca59ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #59: net.exe
0
0
| Information | Value |
|---|---|
| ID | #59 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:29, Reason: Child Process |
| Unmonitor | End Time: 00:02:32, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1f88 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1F8C
0x
2060
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000062cb050000 | 0x62cb050000 | 0x62cb06ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000062cb050000 | 0x62cb050000 | 0x62cb05ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000062cb070000 | 0x62cb070000 | 0x62cb083fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000062cb090000 | 0x62cb090000 | 0x62cb10ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000062cb110000 | 0x62cb110000 | 0x62cb113fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000062cb120000 | 0x62cb120000 | 0x62cb120fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000062cb130000 | 0x62cb130000 | 0x62cb131fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x62cb140000 | 0x62cb1fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000062cb2c0000 | 0x62cb2c0000 | 0x62cb3bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffaf0000 | 0x7df5ffaf0000 | 0x7ff5ffaeffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca420000 | 0x7ff7ca420000 | 0x7ff7ca51ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7ca520000 | 0x7ff7ca520000 | 0x7ff7ca542fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca544000 | 0x7ff7ca544000 | 0x7ff7ca544fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca54e000 | 0x7ff7ca54e000 | 0x7ff7ca54ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #61: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #61 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:31, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2058 |
| Parent PID | 0x1ef8 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
205C
0x
2064
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000e89fd40000 | 0xe89fd40000 | 0xe89fd5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e89fd40000 | 0xe89fd40000 | 0xe89fd4ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000e89fd50000 | 0xe89fd50000 | 0xe89fd56fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e89fd60000 | 0xe89fd60000 | 0xe89fd73fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e89fd80000 | 0xe89fd80000 | 0xe89fdfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e89fe00000 | 0xe89fe00000 | 0xe89fe03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e89fe10000 | 0xe89fe10000 | 0xe89fe10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e89fe20000 | 0xe89fe20000 | 0xe89fe21fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xe89fe30000 | 0xe89feedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e89fef0000 | 0xe89fef0000 | 0xe89ff6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e89ff70000 | 0xe89ff70000 | 0xe89ff76fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e89ff80000 | 0xe89ff80000 | 0xe89ff8ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xe89ff90000 | 0xe89ff92fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000e89ffc0000 | 0xe89ffc0000 | 0xe8a00bffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0xe8a00c0000 | 0xe8a00f1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ffb70000 | 0x7df5ffb70000 | 0x7ff5ffb6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff647ff0000 | 0x7ff647ff0000 | 0x7ff6480effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6480f0000 | 0x7ff6480f0000 | 0x7ff648112fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff64811b000 | 0x7ff64811b000 | 0x7ff64811cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64811d000 | 0x7ff64811d000 | 0x7ff64811efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64811f000 | 0x7ff64811f000 | 0x7ff64811ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xe89ff90000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #62: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #62 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:32, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x206c |
| Parent PID | 0x1f88 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2070
0x
2078
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000006bdb560000 | 0x6bdb560000 | 0x6bdb57ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006bdb560000 | 0x6bdb560000 | 0x6bdb56ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000006bdb570000 | 0x6bdb570000 | 0x6bdb576fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006bdb580000 | 0x6bdb580000 | 0x6bdb593fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006bdb5a0000 | 0x6bdb5a0000 | 0x6bdb61ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006bdb620000 | 0x6bdb620000 | 0x6bdb623fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000006bdb630000 | 0x6bdb630000 | 0x6bdb630fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006bdb640000 | 0x6bdb640000 | 0x6bdb641fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x6bdb650000 | 0x6bdb70dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000006bdb710000 | 0x6bdb710000 | 0x6bdb716fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x6bdb720000 | 0x6bdb722fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000006bdb730000 | 0x6bdb730000 | 0x6bdb82ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000006bdb830000 | 0x6bdb830000 | 0x6bdb8affff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x6bdb8b0000 | 0x6bdb8e1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000006bdb920000 | 0x6bdb920000 | 0x6bdb92ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff470000 | 0x7df5ff470000 | 0x7ff5ff46ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff647f40000 | 0x7ff647f40000 | 0x7ff64803ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648040000 | 0x7ff648040000 | 0x7ff648062fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff64806b000 | 0x7ff64806b000 | 0x7ff64806cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64806d000 | 0x7ff64806d000 | 0x7ff64806efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64806f000 | 0x7ff64806f000 | 0x7ff64806ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x6bdb720000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #63: net.exe
0
0
| Information | Value |
|---|---|
| ID | #63 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:38, Reason: Child Process |
| Unmonitor | End Time: 00:02:43, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x139c |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1C9C
0x
2090
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000002c6b0e0000 | 0x2c6b0e0000 | 0x2c6b0fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002c6b0e0000 | 0x2c6b0e0000 | 0x2c6b0effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000002c6b100000 | 0x2c6b100000 | 0x2c6b113fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002c6b120000 | 0x2c6b120000 | 0x2c6b19ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002c6b1a0000 | 0x2c6b1a0000 | 0x2c6b1a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000002c6b1b0000 | 0x2c6b1b0000 | 0x2c6b1b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002c6b1c0000 | 0x2c6b1c0000 | 0x2c6b1c1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000002c6b220000 | 0x2c6b220000 | 0x2c6b31ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x2c6b320000 | 0x2c6b3ddfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ffc10000 | 0x7df5ffc10000 | 0x7ff5ffc0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7c9c40000 | 0x7ff7c9c40000 | 0x7ff7c9d3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7c9d40000 | 0x7ff7c9d40000 | 0x7ff7c9d62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7c9d63000 | 0x7ff7c9d63000 | 0x7ff7c9d63fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c9d6e000 | 0x7ff7c9d6e000 | 0x7ff7c9d6ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #65: net.exe
0
0
| Information | Value |
|---|---|
| ID | #65 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:39, Reason: Child Process |
| Unmonitor | End Time: 00:02:43, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa9c |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AA0
0x
24A0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000008d09a00000 | 0x8d09a00000 | 0x8d09a1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008d09a00000 | 0x8d09a00000 | 0x8d09a0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000008d09a20000 | 0x8d09a20000 | 0x8d09a33fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008d09a40000 | 0x8d09a40000 | 0x8d09abffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008d09ac0000 | 0x8d09ac0000 | 0x8d09ac3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008d09ad0000 | 0x8d09ad0000 | 0x8d09ad0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008d09ae0000 | 0x8d09ae0000 | 0x8d09ae1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x8d09af0000 | 0x8d09badfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008d09c40000 | 0x8d09c40000 | 0x8d09d3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5fffc0000 | 0x7df5fffc0000 | 0x7ff5fffbffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca4c0000 | 0x7ff7ca4c0000 | 0x7ff7ca5bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7ca5c0000 | 0x7ff7ca5c0000 | 0x7ff7ca5e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca5ed000 | 0x7ff7ca5ed000 | 0x7ff7ca5edfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca5ee000 | 0x7ff7ca5ee000 | 0x7ff7ca5effff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #67: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #67 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:41, Reason: Child Process |
| Unmonitor | End Time: 00:02:42, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2428 |
| Parent PID | 0x139c (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
242C
0x
2518
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000060ba340000 | 0x60ba340000 | 0x60ba35ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000060ba340000 | 0x60ba340000 | 0x60ba34ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000060ba350000 | 0x60ba350000 | 0x60ba356fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000060ba360000 | 0x60ba360000 | 0x60ba373fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000060ba380000 | 0x60ba380000 | 0x60ba3fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000060ba400000 | 0x60ba400000 | 0x60ba403fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000060ba410000 | 0x60ba410000 | 0x60ba410fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000060ba420000 | 0x60ba420000 | 0x60ba421fff | Private Memory | rw |
|
|
|
- |
| private_0x00000060ba430000 | 0x60ba430000 | 0x60ba52ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x60ba530000 | 0x60ba5edfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000060ba5f0000 | 0x60ba5f0000 | 0x60ba66ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000060ba670000 | 0x60ba670000 | 0x60ba676fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x60ba680000 | 0x60ba682fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x60ba690000 | 0x60ba6c1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000060ba830000 | 0x60ba830000 | 0x60ba83ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff230000 | 0x7df5ff230000 | 0x7ff5ff22ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648190000 | 0x7ff648190000 | 0x7ff64828ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648290000 | 0x7ff648290000 | 0x7ff6482b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6482b5000 | 0x7ff6482b5000 | 0x7ff6482b5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6482bc000 | 0x7ff6482bc000 | 0x7ff6482bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6482be000 | 0x7ff6482be000 | 0x7ff6482bffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x60ba680000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #68: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #68 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:42, Reason: Child Process |
| Unmonitor | End Time: 00:02:43, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2550 |
| Parent PID | 0xa9c (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2554
0x
2590
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000ba533b0000 | 0xba533b0000 | 0xba533cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ba533b0000 | 0xba533b0000 | 0xba533bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ba533c0000 | 0xba533c0000 | 0xba533c6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ba533d0000 | 0xba533d0000 | 0xba533e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ba533f0000 | 0xba533f0000 | 0xba5346ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ba53470000 | 0xba53470000 | 0xba53473fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ba53480000 | 0xba53480000 | 0xba53480fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ba53490000 | 0xba53490000 | 0xba53491fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xba534a0000 | 0xba5355dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ba53560000 | 0xba53560000 | 0xba53566fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xba53570000 | 0xba53572fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0xba53580000 | 0xba535b1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ba535c0000 | 0xba535c0000 | 0xba536bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ba536c0000 | 0xba536c0000 | 0xba5373ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ba538d0000 | 0xba538d0000 | 0xba538dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffed0000 | 0x7df5ffed0000 | 0x7ff5ffecffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff647f70000 | 0x7ff647f70000 | 0x7ff64806ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648070000 | 0x7ff648070000 | 0x7ff648092fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff64809b000 | 0x7ff64809b000 | 0x7ff64809bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64809c000 | 0x7ff64809c000 | 0x7ff64809dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64809e000 | 0x7ff64809e000 | 0x7ff64809ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xba53570000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #69: net.exe
0
0
| Information | Value |
|---|---|
| ID | #69 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:49, Reason: Child Process |
| Unmonitor | End Time: 00:02:53, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x29d4 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
29D8
0x
2B68
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000043b2380000 | 0x43b2380000 | 0x43b239ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000043b2380000 | 0x43b2380000 | 0x43b238ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000043b23a0000 | 0x43b23a0000 | 0x43b23b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000043b23c0000 | 0x43b23c0000 | 0x43b243ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000043b2440000 | 0x43b2440000 | 0x43b2443fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000043b2450000 | 0x43b2450000 | 0x43b2450fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000043b2460000 | 0x43b2460000 | 0x43b2461fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x43b2470000 | 0x43b252dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000043b25f0000 | 0x43b25f0000 | 0x43b26effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffed0000 | 0x7df5ffed0000 | 0x7ff5ffecffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7c9eb0000 | 0x7ff7c9eb0000 | 0x7ff7c9faffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7c9fb0000 | 0x7ff7c9fb0000 | 0x7ff7c9fd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7c9fdd000 | 0x7ff7c9fdd000 | 0x7ff7c9fddfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c9fde000 | 0x7ff7c9fde000 | 0x7ff7c9fdffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #71: net.exe
0
0
| Information | Value |
|---|---|
| ID | #71 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:54, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2a98 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2A9C
0x
2C08
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000bf64860000 | 0xbf64860000 | 0xbf6487ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000bf64860000 | 0xbf64860000 | 0xbf6486ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000bf64880000 | 0xbf64880000 | 0xbf64893fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000bf648a0000 | 0xbf648a0000 | 0xbf6491ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000bf64920000 | 0xbf64920000 | 0xbf64923fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000bf64930000 | 0xbf64930000 | 0xbf64930fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000bf64940000 | 0xbf64940000 | 0xbf64941fff | Private Memory | rw |
|
|
|
- |
| private_0x000000bf649c0000 | 0xbf649c0000 | 0xbf64abffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xbf64ac0000 | 0xbf64b7dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff210000 | 0x7df5ff210000 | 0x7ff5ff20ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca370000 | 0x7ff7ca370000 | 0x7ff7ca46ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7ca470000 | 0x7ff7ca470000 | 0x7ff7ca492fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca49d000 | 0x7ff7ca49d000 | 0x7ff7ca49efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca49f000 | 0x7ff7ca49f000 | 0x7ff7ca49ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #73: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #73 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:51, Reason: Child Process |
| Unmonitor | End Time: 00:02:52, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2a60 |
| Parent PID | 0x29d4 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1AC0
0x
2C0C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000000be7490000 | 0xbe7490000 | 0xbe74affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000be7490000 | 0xbe7490000 | 0xbe749ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000be74a0000 | 0xbe74a0000 | 0xbe74a6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000be74b0000 | 0xbe74b0000 | 0xbe74c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000be74d0000 | 0xbe74d0000 | 0xbe754ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000be7550000 | 0xbe7550000 | 0xbe7553fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000be7560000 | 0xbe7560000 | 0xbe7560fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000be7570000 | 0xbe7570000 | 0xbe7571fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000be7580000 | 0xbe7580000 | 0xbe7586fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xbe7590000 | 0xbe7592fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0xbe75a0000 | 0xbe75d1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000be75e0000 | 0xbe75e0000 | 0xbe76dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xbe76e0000 | 0xbe779dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000be77a0000 | 0xbe77a0000 | 0xbe781ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000be7970000 | 0xbe7970000 | 0xbe797ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff2a0000 | 0x7df5ff2a0000 | 0x7ff5ff29ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648b50000 | 0x7ff648b50000 | 0x7ff648c4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648c50000 | 0x7ff648c50000 | 0x7ff648c72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff648c77000 | 0x7ff648c77000 | 0x7ff648c77fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648c7c000 | 0x7ff648c7c000 | 0x7ff648c7dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648c7e000 | 0x7ff648c7e000 | 0x7ff648c7ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50e30000 | 0x7ffc50e43fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xbe7590000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #74: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #74 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:52, Reason: Child Process |
| Unmonitor | End Time: 00:02:53, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2c10 |
| Parent PID | 0x2a98 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2C14
0x
2C18
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000af4e9f0000 | 0xaf4e9f0000 | 0xaf4ea0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000af4e9f0000 | 0xaf4e9f0000 | 0xaf4e9fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000af4ea00000 | 0xaf4ea00000 | 0xaf4ea06fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000af4ea10000 | 0xaf4ea10000 | 0xaf4ea23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000af4ea30000 | 0xaf4ea30000 | 0xaf4eaaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000af4eab0000 | 0xaf4eab0000 | 0xaf4eab3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000af4eac0000 | 0xaf4eac0000 | 0xaf4eac0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000af4ead0000 | 0xaf4ead0000 | 0xaf4ead1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000af4eae0000 | 0xaf4eae0000 | 0xaf4eb5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000af4eb60000 | 0xaf4eb60000 | 0xaf4eb66fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xaf4eb70000 | 0xaf4eb72fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000af4eb90000 | 0xaf4eb90000 | 0xaf4ec8ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xaf4ec90000 | 0xaf4ed4dfff | Memory Mapped File | r |
|
|
|
- |
| netmsg.dll.mui | 0xaf4ed50000 | 0xaf4ed81fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000af4ee00000 | 0xaf4ee00000 | 0xaf4ee0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff2e0000 | 0x7df5ff2e0000 | 0x7ff5ff2dffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648d80000 | 0x7ff648d80000 | 0x7ff648e7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648e80000 | 0x7ff648e80000 | 0x7ff648ea2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff648eaa000 | 0x7ff648eaa000 | 0x7ff648eaafff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648eac000 | 0x7ff648eac000 | 0x7ff648eadfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648eae000 | 0x7ff648eae000 | 0x7ff648eaffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50e30000 | 0x7ffc50e43fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xaf4eb70000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #75: net.exe
0
0
| Information | Value |
|---|---|
| ID | #75 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:00, Reason: Child Process |
| Unmonitor | End Time: 00:03:07, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x33f8 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
33FC
0x
3724
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000e6c5fd0000 | 0xe6c5fd0000 | 0xe6c5feffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e6c5fd0000 | 0xe6c5fd0000 | 0xe6c5fdffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000e6c5ff0000 | 0xe6c5ff0000 | 0xe6c6003fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e6c6010000 | 0xe6c6010000 | 0xe6c608ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e6c6090000 | 0xe6c6090000 | 0xe6c6093fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e6c60a0000 | 0xe6c60a0000 | 0xe6c60a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e6c60b0000 | 0xe6c60b0000 | 0xe6c60b1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xe6c60c0000 | 0xe6c617dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e6c6270000 | 0xe6c6270000 | 0xe6c636ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffce0000 | 0x7df5ffce0000 | 0x7ff5ffcdffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca510000 | 0x7ff7ca510000 | 0x7ff7ca60ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7ca610000 | 0x7ff7ca610000 | 0x7ff7ca632fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca63a000 | 0x7ff7ca63a000 | 0x7ff7ca63afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca63e000 | 0x7ff7ca63e000 | 0x7ff7ca63ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #77: net.exe
0
0
| Information | Value |
|---|---|
| ID | #77 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:01, Reason: Child Process |
| Unmonitor | End Time: 00:03:06, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x35e0 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
35E4
0x
3804
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000007484570000 | 0x7484570000 | 0x748458ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007484570000 | 0x7484570000 | 0x748457ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000007484590000 | 0x7484590000 | 0x74845a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000074845b0000 | 0x74845b0000 | 0x748462ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000007484630000 | 0x7484630000 | 0x7484633fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000007484640000 | 0x7484640000 | 0x7484640fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000007484650000 | 0x7484650000 | 0x7484651fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x7484660000 | 0x748471dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000007484750000 | 0x7484750000 | 0x748484ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffa40000 | 0x7df5ffa40000 | 0x7ff5ffa3ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca940000 | 0x7ff7ca940000 | 0x7ff7caa3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7caa40000 | 0x7ff7caa40000 | 0x7ff7caa62fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7caa6d000 | 0x7ff7caa6d000 | 0x7ff7caa6efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7caa6f000 | 0x7ff7caa6f000 | 0x7ff7caa6ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #79: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #79 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:02, Reason: Child Process |
| Unmonitor | End Time: 00:03:06, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x37e4 |
| Parent PID | 0x33f8 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
37E8
0x
3834
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000043323b0000 | 0x43323b0000 | 0x43323cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000043323b0000 | 0x43323b0000 | 0x43323bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000043323c0000 | 0x43323c0000 | 0x43323c6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000043323d0000 | 0x43323d0000 | 0x43323e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000043323f0000 | 0x43323f0000 | 0x433246ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004332470000 | 0x4332470000 | 0x4332473fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004332480000 | 0x4332480000 | 0x4332480fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004332490000 | 0x4332490000 | 0x4332491fff | Private Memory | rw |
|
|
|
- |
| private_0x00000043324a0000 | 0x43324a0000 | 0x433251ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000004332520000 | 0x4332520000 | 0x4332526fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x4332530000 | 0x4332532fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000004332550000 | 0x4332550000 | 0x433264ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x4332650000 | 0x433270dfff | Memory Mapped File | r |
|
|
|
- |
| netmsg.dll.mui | 0x4332710000 | 0x4332741fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000043328f0000 | 0x43328f0000 | 0x43328fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff8b0000 | 0x7df5ff8b0000 | 0x7ff5ff8affff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648380000 | 0x7ff648380000 | 0x7ff64847ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648480000 | 0x7ff648480000 | 0x7ff6484a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6484a7000 | 0x7ff6484a7000 | 0x7ff6484a7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6484ac000 | 0x7ff6484ac000 | 0x7ff6484adfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6484ae000 | 0x7ff6484ae000 | 0x7ff6484affff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50e30000 | 0x7ffc50e43fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x4332530000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #80: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #80 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:03, Reason: Child Process |
| Unmonitor | End Time: 00:03:06, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x38b0 |
| Parent PID | 0x35e0 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
38B4
0x
3970
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000630f8e0000 | 0x630f8e0000 | 0x630f8fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000630f8e0000 | 0x630f8e0000 | 0x630f8effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000630f8f0000 | 0x630f8f0000 | 0x630f8f6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000630f900000 | 0x630f900000 | 0x630f913fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000630f920000 | 0x630f920000 | 0x630f99ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000630f9a0000 | 0x630f9a0000 | 0x630f9a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000630f9b0000 | 0x630f9b0000 | 0x630f9b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000630f9c0000 | 0x630f9c0000 | 0x630f9c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x630f9d0000 | 0x630fa8dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000630fa90000 | 0x630fa90000 | 0x630fb0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000630fb10000 | 0x630fb10000 | 0x630fb16fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x630fb20000 | 0x630fb22fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x630fb30000 | 0x630fb61fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000630fbb0000 | 0x630fbb0000 | 0x630fcaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000630fe00000 | 0x630fe00000 | 0x630fe0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff050000 | 0x7df5ff050000 | 0x7ff5ff04ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648e10000 | 0x7ff648e10000 | 0x7ff648f0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648f10000 | 0x7ff648f10000 | 0x7ff648f32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff648f3a000 | 0x7ff648f3a000 | 0x7ff648f3bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648f3c000 | 0x7ff648f3c000 | 0x7ff648f3dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648f3e000 | 0x7ff648f3e000 | 0x7ff648f3efff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc50e30000 | 0x7ffc50e43fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x630fb20000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #81: net.exe
0
0
| Information | Value |
|---|---|
| ID | #81 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:10, Reason: Child Process |
| Unmonitor | End Time: 00:03:17, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x44d8 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
44DC
0x
46D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000fdfe580000 | 0xfdfe580000 | 0xfdfe59ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000fdfe580000 | 0xfdfe580000 | 0xfdfe58ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000fdfe5a0000 | 0xfdfe5a0000 | 0xfdfe5b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000fdfe5c0000 | 0xfdfe5c0000 | 0xfdfe63ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000fdfe640000 | 0xfdfe640000 | 0xfdfe643fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000fdfe650000 | 0xfdfe650000 | 0xfdfe650fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000fdfe660000 | 0xfdfe660000 | 0xfdfe661fff | Private Memory | rw |
|
|
|
- |
| private_0x000000fdfe6e0000 | 0xfdfe6e0000 | 0xfdfe7dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xfdfe7e0000 | 0xfdfe89dfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff3b0000 | 0x7df5ff3b0000 | 0x7ff5ff3affff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca720000 | 0x7ff7ca720000 | 0x7ff7ca81ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7ca820000 | 0x7ff7ca820000 | 0x7ff7ca842fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca84d000 | 0x7ff7ca84d000 | 0x7ff7ca84efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca84f000 | 0x7ff7ca84f000 | 0x7ff7ca84ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #83: net.exe
0
0
| Information | Value |
|---|---|
| ID | #83 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:12, Reason: Child Process |
| Unmonitor | End Time: 00:03:18, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x46e0 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
46E4
0x
497C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000066c4430000 | 0x66c4430000 | 0x66c444ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000066c4450000 | 0x66c4450000 | 0x66c4463fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000066c4470000 | 0x66c4470000 | 0x66c44effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000066c44f0000 | 0x66c44f0000 | 0x66c44f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000066c4500000 | 0x66c4500000 | 0x66c4500fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000066c4510000 | 0x66c4510000 | 0x66c4511fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff5d0000 | 0x7df5ff5d0000 | 0x7ff5ff5cffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca850000 | 0x7ff7ca850000 | 0x7ff7ca872fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca876000 | 0x7ff7ca876000 | 0x7ff7ca876fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca87e000 | 0x7ff7ca87e000 | 0x7ff7ca87ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #85: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #85 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:12, Reason: Child Process |
| Unmonitor | End Time: 00:03:16, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4744 |
| Parent PID | 0x44d8 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4748
0x
485C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000cebca10000 | 0xcebca10000 | 0xcebca2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cebca10000 | 0xcebca10000 | 0xcebca1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000cebca20000 | 0xcebca20000 | 0xcebca26fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cebca30000 | 0xcebca30000 | 0xcebca43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000cebca50000 | 0xcebca50000 | 0xcebcacffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000cebcad0000 | 0xcebcad0000 | 0xcebcad3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000cebcae0000 | 0xcebcae0000 | 0xcebcae0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000cebcaf0000 | 0xcebcaf0000 | 0xcebcaf1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xcebcb00000 | 0xcebcbbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000cebcbc0000 | 0xcebcbc0000 | 0xcebcc3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cebcc40000 | 0xcebcc40000 | 0xcebcc46fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xcebcc50000 | 0xcebcc52fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0xcebcc60000 | 0xcebcc91fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000cebccb0000 | 0xcebccb0000 | 0xcebcdaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000cebcf30000 | 0xcebcf30000 | 0xcebcf3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffe70000 | 0x7df5ffe70000 | 0x7ff5ffe6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648690000 | 0x7ff648690000 | 0x7ff64878ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648790000 | 0x7ff648790000 | 0x7ff6487b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6487ba000 | 0x7ff6487ba000 | 0x7ff6487bbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6487bc000 | 0x7ff6487bc000 | 0x7ff6487bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6487be000 | 0x7ff6487be000 | 0x7ff6487befff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xcebcc50000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #86: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #86 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:18, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4a94 |
| Parent PID | 0x46e0 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4A98
0x
4BC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000065ae760000 | 0x65ae760000 | 0x65ae77ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000065ae760000 | 0x65ae760000 | 0x65ae76ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000065ae770000 | 0x65ae770000 | 0x65ae776fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000065ae780000 | 0x65ae780000 | 0x65ae793fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000065ae7a0000 | 0x65ae7a0000 | 0x65ae81ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000065ae820000 | 0x65ae820000 | 0x65ae823fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000065ae830000 | 0x65ae830000 | 0x65ae830fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000065ae840000 | 0x65ae840000 | 0x65ae841fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x65ae850000 | 0x65ae90dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000065ae910000 | 0x65ae910000 | 0x65ae916fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x65ae920000 | 0x65ae922fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000065ae930000 | 0x65ae930000 | 0x65aea2ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000065aea30000 | 0x65aea30000 | 0x65aeaaffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x65aeab0000 | 0x65aeae1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000065aec10000 | 0x65aec10000 | 0x65aec1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffb70000 | 0x7df5ffb70000 | 0x7ff5ffb6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648ce0000 | 0x7ff648ce0000 | 0x7ff648ddffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648de0000 | 0x7ff648de0000 | 0x7ff648e02fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff648e06000 | 0x7ff648e06000 | 0x7ff648e06fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648e0c000 | 0x7ff648e0c000 | 0x7ff648e0dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648e0e000 | 0x7ff648e0e000 | 0x7ff648e0ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x65ae920000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #87: net.exe
0
0
| Information | Value |
|---|---|
| ID | #87 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:21, Reason: Child Process |
| Unmonitor | End Time: 00:03:21, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x552c |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5530
0x
554C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000002d577d0000 | 0x2d577d0000 | 0x2d577effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002d577f0000 | 0x2d577f0000 | 0x2d57803fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002d57810000 | 0x2d57810000 | 0x2d5788ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000002d57890000 | 0x2d57890000 | 0x2d57893fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000002d578a0000 | 0x2d578a0000 | 0x2d578a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000002d578b0000 | 0x2d578b0000 | 0x2d578b1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff5b0000 | 0x7df5ff5b0000 | 0x7ff5ff5affff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca140000 | 0x7ff7ca140000 | 0x7ff7ca162fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca16d000 | 0x7ff7ca16d000 | 0x7ff7ca16efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca16f000 | 0x7ff7ca16f000 | 0x7ff7ca16ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #89: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #89 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:21, Reason: Child Process |
| Unmonitor | End Time: 00:03:21, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5550 |
| Parent PID | 0x552c (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5554
0x
5558
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000eca14b0000 | 0xeca14b0000 | 0xeca14cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eca14b0000 | 0xeca14b0000 | 0xeca14bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000eca14c0000 | 0xeca14c0000 | 0xeca14c6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eca14d0000 | 0xeca14d0000 | 0xeca14e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000eca14f0000 | 0xeca14f0000 | 0xeca156ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000eca1570000 | 0xeca1570000 | 0xeca1573fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000eca1580000 | 0xeca1580000 | 0xeca1580fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000eca1590000 | 0xeca1590000 | 0xeca1591fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eca15a0000 | 0xeca15a0000 | 0xeca161ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000eca1620000 | 0xeca1620000 | 0xeca1626fff | Private Memory | rw |
|
|
|
- |
| private_0x000000eca1630000 | 0xeca1630000 | 0xeca172ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xeca1730000 | 0xeca17edfff | Memory Mapped File | r |
|
|
|
- |
| netmsg.dll | 0xeca17f0000 | 0xeca17f2fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0xeca1800000 | 0xeca1831fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000eca18d0000 | 0xeca18d0000 | 0xeca18dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffe80000 | 0x7df5ffe80000 | 0x7ff5ffe7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6483b0000 | 0x7ff6483b0000 | 0x7ff6484affff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6484b0000 | 0x7ff6484b0000 | 0x7ff6484d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6484d4000 | 0x7ff6484d4000 | 0x7ff6484d4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6484dc000 | 0x7ff6484dc000 | 0x7ff6484ddfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6484de000 | 0x7ff6484de000 | 0x7ff6484dffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xeca17f0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #90: net.exe
0
0
| Information | Value |
|---|---|
| ID | #90 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:22, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x55d4 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
55D8
0x
55F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000001b20670000 | 0x1b20670000 | 0x1b2068ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001b20690000 | 0x1b20690000 | 0x1b206a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001b206b0000 | 0x1b206b0000 | 0x1b2072ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001b20730000 | 0x1b20730000 | 0x1b20733fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001b20740000 | 0x1b20740000 | 0x1b20740fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001b20750000 | 0x1b20750000 | 0x1b20751fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffd50000 | 0x7df5ffd50000 | 0x7ff5ffd4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca4a0000 | 0x7ff7ca4a0000 | 0x7ff7ca4c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca4cb000 | 0x7ff7ca4cb000 | 0x7ff7ca4cbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca4ce000 | 0x7ff7ca4ce000 | 0x7ff7ca4cffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #92: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #92 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:23, Reason: Child Process |
| Unmonitor | End Time: 00:03:23, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x55f4 |
| Parent PID | 0x55d4 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
55F8
0x
55FC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000a98c060000 | 0xa98c060000 | 0xa98c07ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a98c060000 | 0xa98c060000 | 0xa98c06ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a98c070000 | 0xa98c070000 | 0xa98c076fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a98c080000 | 0xa98c080000 | 0xa98c093fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a98c0a0000 | 0xa98c0a0000 | 0xa98c11ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a98c120000 | 0xa98c120000 | 0xa98c123fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a98c130000 | 0xa98c130000 | 0xa98c130fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a98c140000 | 0xa98c140000 | 0xa98c141fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xa98c150000 | 0xa98c20dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a98c210000 | 0xa98c210000 | 0xa98c28ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a98c290000 | 0xa98c290000 | 0xa98c296fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xa98c2a0000 | 0xa98c2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0xa98c2b0000 | 0xa98c2e1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a98c310000 | 0xa98c310000 | 0xa98c40ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a98c4e0000 | 0xa98c4e0000 | 0xa98c4effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffb60000 | 0x7df5ffb60000 | 0x7ff5ffb5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6483c0000 | 0x7ff6483c0000 | 0x7ff6484bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6484c0000 | 0x7ff6484c0000 | 0x7ff6484e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6484eb000 | 0x7ff6484eb000 | 0x7ff6484ecfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6484ed000 | 0x7ff6484ed000 | 0x7ff6484eefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6484ef000 | 0x7ff6484ef000 | 0x7ff6484effff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xa98c2a0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #93: net.exe
0
0
| Information | Value |
|---|---|
| ID | #93 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:31, Reason: Child Process |
| Unmonitor | End Time: 00:03:33, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x58ac |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
58B0
0x
58E4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000006db7600000 | 0x6db7600000 | 0x6db761ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006db7620000 | 0x6db7620000 | 0x6db7633fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006db7640000 | 0x6db7640000 | 0x6db76bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006db76c0000 | 0x6db76c0000 | 0x6db76c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000006db76d0000 | 0x6db76d0000 | 0x6db76d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006db76e0000 | 0x6db76e0000 | 0x6db76e1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff280000 | 0x7df5ff280000 | 0x7ff5ff27ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca060000 | 0x7ff7ca060000 | 0x7ff7ca082fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca08a000 | 0x7ff7ca08a000 | 0x7ff7ca08afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca08e000 | 0x7ff7ca08e000 | 0x7ff7ca08ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #95: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #95 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:32, Reason: Child Process |
| Unmonitor | End Time: 00:03:33, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x58e8 |
| Parent PID | 0x58ac (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
58EC
0x
58F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000e7b0940000 | 0xe7b0940000 | 0xe7b095ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e7b0940000 | 0xe7b0940000 | 0xe7b094ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000e7b0950000 | 0xe7b0950000 | 0xe7b0956fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e7b0960000 | 0xe7b0960000 | 0xe7b0973fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e7b0980000 | 0xe7b0980000 | 0xe7b09fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e7b0a00000 | 0xe7b0a00000 | 0xe7b0a03fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e7b0a10000 | 0xe7b0a10000 | 0xe7b0a10fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e7b0a20000 | 0xe7b0a20000 | 0xe7b0a21fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xe7b0a30000 | 0xe7b0aedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e7b0af0000 | 0xe7b0af0000 | 0xe7b0af6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xe7b0b00000 | 0xe7b0b02fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0xe7b0b10000 | 0xe7b0b41fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e7b0b60000 | 0xe7b0b60000 | 0xe7b0c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e7b0c60000 | 0xe7b0c60000 | 0xe7b0cdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e7b0e50000 | 0xe7b0e50000 | 0xe7b0e5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff550000 | 0x7df5ff550000 | 0x7ff5ff54ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648300000 | 0x7ff648300000 | 0x7ff6483fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648400000 | 0x7ff648400000 | 0x7ff648422fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff648424000 | 0x7ff648424000 | 0x7ff648424fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64842c000 | 0x7ff64842c000 | 0x7ff64842dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64842e000 | 0x7ff64842e000 | 0x7ff64842ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc4fdf0000 | 0x7ffc4fe03fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xe7b0b00000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #96: net.exe
0
0
| Information | Value |
|---|---|
| ID | #96 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:33, Reason: Child Process |
| Unmonitor | End Time: 00:03:35, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5a48 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5A4C
0x
5A68
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000008c57a60000 | 0x8c57a60000 | 0x8c57a7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008c57a80000 | 0x8c57a80000 | 0x8c57a93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008c57aa0000 | 0x8c57aa0000 | 0x8c57b1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008c57b20000 | 0x8c57b20000 | 0x8c57b23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008c57b30000 | 0x8c57b30000 | 0x8c57b30fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008c57b40000 | 0x8c57b40000 | 0x8c57b41fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff730000 | 0x7df5ff730000 | 0x7ff5ff72ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7c9cf0000 | 0x7ff7c9cf0000 | 0x7ff7c9d12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7c9d13000 | 0x7ff7c9d13000 | 0x7ff7c9d13fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c9d1e000 | 0x7ff7c9d1e000 | 0x7ff7c9d1ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #98: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #98 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:34, Reason: Child Process |
| Unmonitor | End Time: 00:03:35, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5a6c |
| Parent PID | 0x5a48 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5A70
0x
5A74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000004f68180000 | 0x4f68180000 | 0x4f6819ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004f68180000 | 0x4f68180000 | 0x4f6818ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000004f68190000 | 0x4f68190000 | 0x4f68196fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004f681a0000 | 0x4f681a0000 | 0x4f681b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004f681c0000 | 0x4f681c0000 | 0x4f6823ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004f68240000 | 0x4f68240000 | 0x4f68243fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004f68250000 | 0x4f68250000 | 0x4f68250fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004f68260000 | 0x4f68260000 | 0x4f68261fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x4f68270000 | 0x4f6832dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004f68330000 | 0x4f68330000 | 0x4f683affff | Private Memory | rw |
|
|
|
- |
| private_0x0000004f683b0000 | 0x4f683b0000 | 0x4f683b6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x4f683c0000 | 0x4f683c2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000004f683e0000 | 0x4f683e0000 | 0x4f684dffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x4f684e0000 | 0x4f68511fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000004f686d0000 | 0x4f686d0000 | 0x4f686dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff560000 | 0x7df5ff560000 | 0x7ff5ff55ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648df0000 | 0x7ff648df0000 | 0x7ff648eeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648ef0000 | 0x7ff648ef0000 | 0x7ff648f12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff648f1b000 | 0x7ff648f1b000 | 0x7ff648f1cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648f1d000 | 0x7ff648f1d000 | 0x7ff648f1efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648f1f000 | 0x7ff648f1f000 | 0x7ff648f1ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x4f683c0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #99: net.exe
0
0
| Information | Value |
|---|---|
| ID | #99 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:42, Reason: Child Process |
| Unmonitor | End Time: 00:03:44, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5b98 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5B9C
0x
5BF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000d6a4350000 | 0xd6a4350000 | 0xd6a436ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d6a4370000 | 0xd6a4370000 | 0xd6a4383fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d6a4390000 | 0xd6a4390000 | 0xd6a440ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d6a4410000 | 0xd6a4410000 | 0xd6a4413fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d6a4420000 | 0xd6a4420000 | 0xd6a4420fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d6a4430000 | 0xd6a4430000 | 0xd6a4431fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff480000 | 0x7df5ff480000 | 0x7ff5ff47ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7c9cc0000 | 0x7ff7c9cc0000 | 0x7ff7c9ce2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7c9ced000 | 0x7ff7c9ced000 | 0x7ff7c9cedfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c9cee000 | 0x7ff7c9cee000 | 0x7ff7c9ceffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #101: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #101 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:43, Reason: Child Process |
| Unmonitor | End Time: 00:03:44, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x58f0 |
| Parent PID | 0x5b98 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
58B0
0x
58C0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000079fb3a0000 | 0x79fb3a0000 | 0x79fb3bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000079fb3a0000 | 0x79fb3a0000 | 0x79fb3affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000079fb3b0000 | 0x79fb3b0000 | 0x79fb3b6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000079fb3c0000 | 0x79fb3c0000 | 0x79fb3d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000079fb3e0000 | 0x79fb3e0000 | 0x79fb45ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000079fb460000 | 0x79fb460000 | 0x79fb463fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000079fb470000 | 0x79fb470000 | 0x79fb470fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000079fb480000 | 0x79fb480000 | 0x79fb481fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x79fb490000 | 0x79fb54dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000079fb550000 | 0x79fb550000 | 0x79fb5cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000079fb5d0000 | 0x79fb5d0000 | 0x79fb6cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000079fb6d0000 | 0x79fb6d0000 | 0x79fb6d6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x79fb6e0000 | 0x79fb6e2fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x79fb6f0000 | 0x79fb721fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000079fb870000 | 0x79fb870000 | 0x79fb87ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffcf0000 | 0x7df5ffcf0000 | 0x7ff5ffceffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648040000 | 0x7ff648040000 | 0x7ff64813ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648140000 | 0x7ff648140000 | 0x7ff648162fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff64816a000 | 0x7ff64816a000 | 0x7ff64816bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64816c000 | 0x7ff64816c000 | 0x7ff64816dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64816e000 | 0x7ff64816e000 | 0x7ff64816efff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x79fb6e0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #102: net.exe
0
0
| Information | Value |
|---|---|
| ID | #102 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:43, Reason: Child Process |
| Unmonitor | End Time: 00:03:44, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x43b8 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4038
0x
5BCC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000a004570000 | 0xa004570000 | 0xa00458ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a004590000 | 0xa004590000 | 0xa0045a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a0045b0000 | 0xa0045b0000 | 0xa00462ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a004630000 | 0xa004630000 | 0xa004633fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a004640000 | 0xa004640000 | 0xa004640fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a004650000 | 0xa004650000 | 0xa004651fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff380000 | 0x7df5ff380000 | 0x7ff5ff37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca030000 | 0x7ff7ca030000 | 0x7ff7ca052fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca053000 | 0x7ff7ca053000 | 0x7ff7ca053fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca05e000 | 0x7ff7ca05e000 | 0x7ff7ca05ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #104: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #104 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:44, Reason: Child Process |
| Unmonitor | End Time: 00:03:44, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5c64 |
| Parent PID | 0x43b8 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5C68
0x
5C6C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000048a5a10000 | 0x48a5a10000 | 0x48a5a2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000048a5a10000 | 0x48a5a10000 | 0x48a5a1ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000048a5a20000 | 0x48a5a20000 | 0x48a5a26fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000048a5a30000 | 0x48a5a30000 | 0x48a5a43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000048a5a50000 | 0x48a5a50000 | 0x48a5acffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000048a5ad0000 | 0x48a5ad0000 | 0x48a5ad3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000048a5ae0000 | 0x48a5ae0000 | 0x48a5ae0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000048a5af0000 | 0x48a5af0000 | 0x48a5af1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x48a5b00000 | 0x48a5bbdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000048a5bc0000 | 0x48a5bc0000 | 0x48a5bc6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000048a5bd0000 | 0x48a5bd0000 | 0x48a5ccffff | Private Memory | rw |
|
|
|
- |
| private_0x00000048a5cd0000 | 0x48a5cd0000 | 0x48a5d4ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x48a5d50000 | 0x48a5d52fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x48a5d60000 | 0x48a5d91fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000048a5f00000 | 0x48a5f00000 | 0x48a5f0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff310000 | 0x7df5ff310000 | 0x7ff5ff30ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648b60000 | 0x7ff648b60000 | 0x7ff648c5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648c60000 | 0x7ff648c60000 | 0x7ff648c82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff648c8b000 | 0x7ff648c8b000 | 0x7ff648c8cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648c8d000 | 0x7ff648c8d000 | 0x7ff648c8efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648c8f000 | 0x7ff648c8f000 | 0x7ff648c8ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x48a5d50000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #105: net.exe
0
0
| Information | Value |
|---|---|
| ID | #105 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:52, Reason: Child Process |
| Unmonitor | End Time: 00:03:54, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5ef0 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5EF4
0x
5F0C
0x
5F10
0x
5F14
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000e4f33e0000 | 0xe4f33e0000 | 0xe4f33fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e4f3400000 | 0xe4f3400000 | 0xe4f3413fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e4f3420000 | 0xe4f3420000 | 0xe4f349ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e4f34a0000 | 0xe4f34a0000 | 0xe4f34a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e4f34b0000 | 0xe4f34b0000 | 0xe4f34b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e4f34c0000 | 0xe4f34c0000 | 0xe4f34c1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffed0000 | 0x7df5ffed0000 | 0x7ff5ffecffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca020000 | 0x7ff7ca020000 | 0x7ff7ca042fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca04a000 | 0x7ff7ca04a000 | 0x7ff7ca04afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca04e000 | 0x7ff7ca04e000 | 0x7ff7ca04ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #107: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #107 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:53, Reason: Child Process |
| Unmonitor | End Time: 00:03:53, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5f18 |
| Parent PID | 0x5ef0 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5F1C
0x
5F20
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000ba17690000 | 0xba17690000 | 0xba176affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ba17690000 | 0xba17690000 | 0xba1769ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ba176a0000 | 0xba176a0000 | 0xba176a6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ba176b0000 | 0xba176b0000 | 0xba176c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ba176d0000 | 0xba176d0000 | 0xba1774ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ba17750000 | 0xba17750000 | 0xba17753fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ba17760000 | 0xba17760000 | 0xba17760fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ba17770000 | 0xba17770000 | 0xba17771fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ba17780000 | 0xba17780000 | 0xba177fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ba17800000 | 0xba17800000 | 0xba17806fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xba17810000 | 0xba17812fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000ba17820000 | 0xba17820000 | 0xba1782ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ba17830000 | 0xba17830000 | 0xba1792ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xba17930000 | 0xba179edfff | Memory Mapped File | r |
|
|
|
- |
| netmsg.dll.mui | 0xba179f0000 | 0xba17a21fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff2e0000 | 0x7df5ff2e0000 | 0x7ff5ff2dffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648640000 | 0x7ff648640000 | 0x7ff64873ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648740000 | 0x7ff648740000 | 0x7ff648762fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff648768000 | 0x7ff648768000 | 0x7ff648768fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64876c000 | 0x7ff64876c000 | 0x7ff64876dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64876e000 | 0x7ff64876e000 | 0x7ff64876ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xba17810000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #108: net.exe
0
0
| Information | Value |
|---|---|
| ID | #108 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:54, Reason: Child Process |
| Unmonitor | End Time: 00:03:55, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5f60 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5F64
0x
5F8C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000091b7730000 | 0x91b7730000 | 0x91b774ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000091b7750000 | 0x91b7750000 | 0x91b7763fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000091b7770000 | 0x91b7770000 | 0x91b77effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000091b77f0000 | 0x91b77f0000 | 0x91b77f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000091b7800000 | 0x91b7800000 | 0x91b7800fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000091b7810000 | 0x91b7810000 | 0x91b7811fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffdf0000 | 0x7df5ffdf0000 | 0x7ff5ffdeffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7c9f30000 | 0x7ff7c9f30000 | 0x7ff7c9f52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7c9f58000 | 0x7ff7c9f58000 | 0x7ff7c9f58fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c9f5e000 | 0x7ff7c9f5e000 | 0x7ff7c9f5ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #110: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #110 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:03:54, Reason: Child Process |
| Unmonitor | End Time: 00:03:55, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5f90 |
| Parent PID | 0x5f60 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5F94
0x
5F98
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000b260050000 | 0xb260050000 | 0xb26006ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b260050000 | 0xb260050000 | 0xb26005ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b260060000 | 0xb260060000 | 0xb260066fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b260070000 | 0xb260070000 | 0xb260083fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b260090000 | 0xb260090000 | 0xb26010ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b260110000 | 0xb260110000 | 0xb260113fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b260120000 | 0xb260120000 | 0xb260120fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b260130000 | 0xb260130000 | 0xb260131fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xb260140000 | 0xb2601fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b260200000 | 0xb260200000 | 0xb26027ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b260280000 | 0xb260280000 | 0xb260286fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xb260290000 | 0xb260292fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0xb2602a0000 | 0xb2602d1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b260300000 | 0xb260300000 | 0xb2603fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b260530000 | 0xb260530000 | 0xb26053ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5fff80000 | 0x7df5fff80000 | 0x7ff5fff7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff647f30000 | 0x7ff647f30000 | 0x7ff64802ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648030000 | 0x7ff648030000 | 0x7ff648052fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff64805a000 | 0x7ff64805a000 | 0x7ff64805bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64805c000 | 0x7ff64805c000 | 0x7ff64805dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64805e000 | 0x7ff64805e000 | 0x7ff64805efff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xb260290000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #111: net.exe
0
0
| Information | Value |
|---|---|
| ID | #111 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:05, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x605c |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6060
0x
6198
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000008082a50000 | 0x8082a50000 | 0x8082a6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008082a70000 | 0x8082a70000 | 0x8082a83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008082a90000 | 0x8082a90000 | 0x8082b0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008082b10000 | 0x8082b10000 | 0x8082b13fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008082b20000 | 0x8082b20000 | 0x8082b20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008082b30000 | 0x8082b30000 | 0x8082b31fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff870000 | 0x7df5ff870000 | 0x7ff5ff86ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca010000 | 0x7ff7ca010000 | 0x7ff7ca032fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca035000 | 0x7ff7ca035000 | 0x7ff7ca035fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca03e000 | 0x7ff7ca03e000 | 0x7ff7ca03ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #113: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #113 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:04, Reason: Child Process |
| Unmonitor | End Time: 00:04:05, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x619c |
| Parent PID | 0x605c (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
61A0
0x
61B8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000500cf50000 | 0x500cf50000 | 0x500cf6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000500cf50000 | 0x500cf50000 | 0x500cf5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000500cf60000 | 0x500cf60000 | 0x500cf66fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000500cf70000 | 0x500cf70000 | 0x500cf83fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000500cf90000 | 0x500cf90000 | 0x500d00ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000500d010000 | 0x500d010000 | 0x500d013fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000500d020000 | 0x500d020000 | 0x500d020fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000500d030000 | 0x500d030000 | 0x500d031fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x500d040000 | 0x500d0fdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000500d100000 | 0x500d100000 | 0x500d17ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000500d180000 | 0x500d180000 | 0x500d186fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x500d190000 | 0x500d192fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000500d1b0000 | 0x500d1b0000 | 0x500d2affff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0x500d2b0000 | 0x500d2e1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000500d3f0000 | 0x500d3f0000 | 0x500d3fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff050000 | 0x7df5ff050000 | 0x7ff5ff04ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648d20000 | 0x7ff648d20000 | 0x7ff648e1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648e20000 | 0x7ff648e20000 | 0x7ff648e42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff648e4b000 | 0x7ff648e4b000 | 0x7ff648e4cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648e4d000 | 0x7ff648e4d000 | 0x7ff648e4efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff648e4f000 | 0x7ff648e4f000 | 0x7ff648e4ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x500d190000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #114: net.exe
0
0
| Information | Value |
|---|---|
| ID | #114 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:04, Reason: Child Process |
| Unmonitor | End Time: 00:04:05, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x61f4 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
61F8
0x
6214
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000ecc71d0000 | 0xecc71d0000 | 0xecc71effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ecc71f0000 | 0xecc71f0000 | 0xecc7203fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ecc7210000 | 0xecc7210000 | 0xecc728ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ecc7290000 | 0xecc7290000 | 0xecc7293fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ecc72a0000 | 0xecc72a0000 | 0xecc72a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ecc72b0000 | 0xecc72b0000 | 0xecc72b1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff2d0000 | 0x7df5ff2d0000 | 0x7ff5ff2cffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7cab60000 | 0x7ff7cab60000 | 0x7ff7cab82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7cab84000 | 0x7ff7cab84000 | 0x7ff7cab84fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cab8e000 | 0x7ff7cab8e000 | 0x7ff7cab8ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #116: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #116 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:05, Reason: Child Process |
| Unmonitor | End Time: 00:04:05, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6218 |
| Parent PID | 0x61f4 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
621C
0x
6220
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000ec67910000 | 0xec67910000 | 0xec6792ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ec67910000 | 0xec67910000 | 0xec6791ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000ec67920000 | 0xec67920000 | 0xec67926fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ec67930000 | 0xec67930000 | 0xec67943fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ec67950000 | 0xec67950000 | 0xec679cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000ec679d0000 | 0xec679d0000 | 0xec679d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000ec679e0000 | 0xec679e0000 | 0xec679e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000ec679f0000 | 0xec679f0000 | 0xec679f1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000ec67a00000 | 0xec67a00000 | 0xec67a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000ec67a80000 | 0xec67a80000 | 0xec67b7ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xec67b80000 | 0xec67c3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ec67c40000 | 0xec67c40000 | 0xec67c46fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xec67c50000 | 0xec67c52fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0xec67c60000 | 0xec67c91fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000ec67cc0000 | 0xec67cc0000 | 0xec67ccffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffca0000 | 0x7df5ffca0000 | 0x7ff5ffc9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648860000 | 0x7ff648860000 | 0x7ff64895ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648960000 | 0x7ff648960000 | 0x7ff648982fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff648986000 | 0x7ff648986000 | 0x7ff648986fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64898c000 | 0x7ff64898c000 | 0x7ff64898dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64898e000 | 0x7ff64898e000 | 0x7ff64898ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505c0000 | 0x7ffc505d3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xec67c50000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #117: net.exe
0
0
| Information | Value |
|---|---|
| ID | #117 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:13, Reason: Child Process |
| Unmonitor | End Time: 00:04:15, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x66d0 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
66D4
0x
6740
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x0000006d16540000 | 0x6d16540000 | 0x6d1655ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006d16560000 | 0x6d16560000 | 0x6d16573fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006d16580000 | 0x6d16580000 | 0x6d165fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000006d16600000 | 0x6d16600000 | 0x6d16603fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000006d16610000 | 0x6d16610000 | 0x6d16610fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000006d16620000 | 0x6d16620000 | 0x6d16621fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff4d0000 | 0x7df5ff4d0000 | 0x7ff5ff4cffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca4b0000 | 0x7ff7ca4b0000 | 0x7ff7ca4d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca4dc000 | 0x7ff7ca4dc000 | 0x7ff7ca4ddfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca4de000 | 0x7ff7ca4de000 | 0x7ff7ca4defff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #119: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #119 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:14, Reason: Child Process |
| Unmonitor | End Time: 00:04:15, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6744 |
| Parent PID | 0x66d0 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6748
0x
674C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000d9f1d90000 | 0xd9f1d90000 | 0xd9f1daffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d9f1d90000 | 0xd9f1d90000 | 0xd9f1d9ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000d9f1da0000 | 0xd9f1da0000 | 0xd9f1da6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d9f1db0000 | 0xd9f1db0000 | 0xd9f1dc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d9f1dd0000 | 0xd9f1dd0000 | 0xd9f1e4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000d9f1e50000 | 0xd9f1e50000 | 0xd9f1e53fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000d9f1e60000 | 0xd9f1e60000 | 0xd9f1e60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000d9f1e70000 | 0xd9f1e70000 | 0xd9f1e71fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xd9f1e80000 | 0xd9f1f3dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d9f1f40000 | 0xd9f1f40000 | 0xd9f1fbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d9f1fc0000 | 0xd9f1fc0000 | 0xd9f1fc6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xd9f1fd0000 | 0xd9f1fd2fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0xd9f1fe0000 | 0xd9f2011fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000d9f2050000 | 0xd9f2050000 | 0xd9f214ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000d9f22c0000 | 0xd9f22c0000 | 0xd9f22cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff5a0000 | 0x7df5ff5a0000 | 0x7ff5ff59ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff6483f0000 | 0x7ff6483f0000 | 0x7ff6484effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff6484f0000 | 0x7ff6484f0000 | 0x7ff648512fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff648517000 | 0x7ff648517000 | 0x7ff648517fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64851c000 | 0x7ff64851c000 | 0x7ff64851dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64851e000 | 0x7ff64851e000 | 0x7ff64851ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505a0000 | 0x7ffc505b3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xd9f1fd0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #120: net.exe
0
0
| Information | Value |
|---|---|
| ID | #120 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:15, Reason: Child Process |
| Unmonitor | End Time: 00:04:17, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x678c |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6790
0x
67B8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000a9def90000 | 0xa9def90000 | 0xa9defaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a9defb0000 | 0xa9defb0000 | 0xa9defc3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a9defd0000 | 0xa9defd0000 | 0xa9df04ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a9df050000 | 0xa9df050000 | 0xa9df053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a9df060000 | 0xa9df060000 | 0xa9df060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a9df070000 | 0xa9df070000 | 0xa9df071fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff240000 | 0x7df5ff240000 | 0x7ff5ff23ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca440000 | 0x7ff7ca440000 | 0x7ff7ca462fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca465000 | 0x7ff7ca465000 | 0x7ff7ca465fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca46e000 | 0x7ff7ca46e000 | 0x7ff7ca46ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #122: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #122 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:15, Reason: Child Process |
| Unmonitor | End Time: 00:04:16, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x67cc |
| Parent PID | 0x678c (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
67D0
0x
67D4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000197f430000 | 0x197f430000 | 0x197f44ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000197f430000 | 0x197f430000 | 0x197f43ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000197f440000 | 0x197f440000 | 0x197f446fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000197f450000 | 0x197f450000 | 0x197f463fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000197f470000 | 0x197f470000 | 0x197f4effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000197f4f0000 | 0x197f4f0000 | 0x197f4f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000197f500000 | 0x197f500000 | 0x197f500fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000197f510000 | 0x197f510000 | 0x197f511fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x197f520000 | 0x197f5ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000197f5e0000 | 0x197f5e0000 | 0x197f65ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000197f660000 | 0x197f660000 | 0x197f75ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000197f760000 | 0x197f760000 | 0x197f766fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x197f770000 | 0x197f772fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x197f780000 | 0x197f7b1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000197f880000 | 0x197f880000 | 0x197f88ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff030000 | 0x7df5ff030000 | 0x7ff5ff02ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff647f90000 | 0x7ff647f90000 | 0x7ff64808ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648090000 | 0x7ff648090000 | 0x7ff6480b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6480bb000 | 0x7ff6480bb000 | 0x7ff6480bcfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6480bd000 | 0x7ff6480bd000 | 0x7ff6480bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6480be000 | 0x7ff6480be000 | 0x7ff6480bffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc505a0000 | 0x7ffc505b3fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x197f770000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #123: net.exe
0
0
| Information | Value |
|---|---|
| ID | #123 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:23, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6a14 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6A18
0x
6A40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000174f820000 | 0x174f820000 | 0x174f83ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000174f840000 | 0x174f840000 | 0x174f853fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000174f860000 | 0x174f860000 | 0x174f8dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000174f8e0000 | 0x174f8e0000 | 0x174f8e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000174f8f0000 | 0x174f8f0000 | 0x174f8f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000174f900000 | 0x174f900000 | 0x174f901fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5fff70000 | 0x7df5fff70000 | 0x7ff5fff6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7cabf0000 | 0x7ff7cabf0000 | 0x7ff7cac12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7cac1d000 | 0x7ff7cac1d000 | 0x7ff7cac1efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7cac1f000 | 0x7ff7cac1f000 | 0x7ff7cac1ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #125: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #125 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:24, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6a44 |
| Parent PID | 0x6a14 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6A48
0x
6A4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000294d3b0000 | 0x294d3b0000 | 0x294d3cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000294d3b0000 | 0x294d3b0000 | 0x294d3bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000294d3c0000 | 0x294d3c0000 | 0x294d3c6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000294d3d0000 | 0x294d3d0000 | 0x294d3e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000294d3f0000 | 0x294d3f0000 | 0x294d46ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000294d470000 | 0x294d470000 | 0x294d473fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000294d480000 | 0x294d480000 | 0x294d480fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000294d490000 | 0x294d490000 | 0x294d491fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x294d4a0000 | 0x294d55dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000294d560000 | 0x294d560000 | 0x294d5dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000294d5e0000 | 0x294d5e0000 | 0x294d5e6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0x294d5f0000 | 0x294d5f2fff | Memory Mapped File | rwx |
|
|
|
- |
| netmsg.dll.mui | 0x294d600000 | 0x294d631fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000294d670000 | 0x294d670000 | 0x294d76ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000294d810000 | 0x294d810000 | 0x294d81ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff070000 | 0x7df5ff070000 | 0x7ff5ff06ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648180000 | 0x7ff648180000 | 0x7ff64827ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648280000 | 0x7ff648280000 | 0x7ff6482a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6482ab000 | 0x7ff6482ab000 | 0x7ff6482acfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6482ad000 | 0x7ff6482ad000 | 0x7ff6482aefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6482af000 | 0x7ff6482af000 | 0x7ff6482affff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc4d480000 | 0x7ffc4d493fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x294d5f0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #126: net.exe
0
0
| Information | Value |
|---|---|
| ID | #126 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:26, Reason: Child Process |
| Unmonitor | End Time: 00:04:28, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6ccc |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6CD0
0x
6DF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000973cdc0000 | 0x973cdc0000 | 0x973cddffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000973cde0000 | 0x973cde0000 | 0x973cdf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000973ce00000 | 0x973ce00000 | 0x973ce7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000973ce80000 | 0x973ce80000 | 0x973ce83fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000973ce90000 | 0x973ce90000 | 0x973ce90fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000973cea0000 | 0x973cea0000 | 0x973cea1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff770000 | 0x7df5ff770000 | 0x7ff5ff76ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7c9d00000 | 0x7ff7c9d00000 | 0x7ff7c9d22fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7c9d2c000 | 0x7ff7c9d2c000 | 0x7ff7c9d2cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7c9d2e000 | 0x7ff7c9d2e000 | 0x7ff7c9d2ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #128: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #128 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:27, Reason: Child Process |
| Unmonitor | End Time: 00:04:28, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6e14 |
| Parent PID | 0x6ccc (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6E18
0x
6F70
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000f40ecf0000 | 0xf40ecf0000 | 0xf40ed0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f40ecf0000 | 0xf40ecf0000 | 0xf40ecfffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000f40ed00000 | 0xf40ed00000 | 0xf40ed06fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f40ed10000 | 0xf40ed10000 | 0xf40ed23fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f40ed30000 | 0xf40ed30000 | 0xf40edaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f40edb0000 | 0xf40edb0000 | 0xf40edb3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f40edc0000 | 0xf40edc0000 | 0xf40edc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f40edd0000 | 0xf40edd0000 | 0xf40edd1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f40ede0000 | 0xf40ede0000 | 0xf40ede6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xf40edf0000 | 0xf40edf2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000f40ee30000 | 0xf40ee30000 | 0xf40ef2ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xf40ef30000 | 0xf40efedfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f40eff0000 | 0xf40eff0000 | 0xf40f06ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0xf40f070000 | 0xf40f0a1fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f40f1a0000 | 0xf40f1a0000 | 0xf40f1affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffb70000 | 0x7df5ffb70000 | 0x7ff5ffb6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648180000 | 0x7ff648180000 | 0x7ff64827ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648280000 | 0x7ff648280000 | 0x7ff6482a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff6482aa000 | 0x7ff6482aa000 | 0x7ff6482abfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6482ac000 | 0x7ff6482ac000 | 0x7ff6482adfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff6482ae000 | 0x7ff6482ae000 | 0x7ff6482aefff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc4d480000 | 0x7ffc4d493fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xf40edf0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #129: net.exe
0
0
| Information | Value |
|---|---|
| ID | #129 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:34, Reason: Child Process |
| Unmonitor | End Time: 00:04:35, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x722c |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7230
0x
7280
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000048176c0000 | 0x48176c0000 | 0x48176dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000048176e0000 | 0x48176e0000 | 0x48176f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000004817700000 | 0x4817700000 | 0x481777ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000004817780000 | 0x4817780000 | 0x4817783fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000004817790000 | 0x4817790000 | 0x4817790fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000048177a0000 | 0x48177a0000 | 0x48177a1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff200000 | 0x7df5ff200000 | 0x7ff5ff1fffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca000000 | 0x7ff7ca000000 | 0x7ff7ca022fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca028000 | 0x7ff7ca028000 | 0x7ff7ca028fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca02e000 | 0x7ff7ca02e000 | 0x7ff7ca02ffff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #131: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #131 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:34, Reason: Child Process |
| Unmonitor | End Time: 00:04:35, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7284 |
| Parent PID | 0x722c (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7288
0x
728C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000b9adc70000 | 0xb9adc70000 | 0xb9adc8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b9adc70000 | 0xb9adc70000 | 0xb9adc7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b9adc80000 | 0xb9adc80000 | 0xb9adc86fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b9adc90000 | 0xb9adc90000 | 0xb9adca3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b9adcb0000 | 0xb9adcb0000 | 0xb9add2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b9add30000 | 0xb9add30000 | 0xb9add33fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b9add40000 | 0xb9add40000 | 0xb9add40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b9add50000 | 0xb9add50000 | 0xb9add51fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xb9add60000 | 0xb9ade1dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b9ade20000 | 0xb9ade20000 | 0xb9ade9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b9adea0000 | 0xb9adea0000 | 0xb9adea6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xb9adeb0000 | 0xb9adeb2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000b9adee0000 | 0xb9adee0000 | 0xb9adfdffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0xb9adfe0000 | 0xb9ae011fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b9ae060000 | 0xb9ae060000 | 0xb9ae06ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff160000 | 0x7df5ff160000 | 0x7ff5ff15ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648220000 | 0x7ff648220000 | 0x7ff64831ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648320000 | 0x7ff648320000 | 0x7ff648342fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff64834b000 | 0x7ff64834b000 | 0x7ff64834cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64834d000 | 0x7ff64834d000 | 0x7ff64834efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64834f000 | 0x7ff64834f000 | 0x7ff64834ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc4d480000 | 0x7ffc4d493fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xb9adeb0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #132: net.exe
0
0
| Information | Value |
|---|---|
| ID | #132 |
| File Name | c:\windows\system32\net.exe |
| Command Line | "C:\Windows\System32\net.exe" stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:36, Reason: Child Process |
| Unmonitor | End Time: 00:04:38, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7298 |
| Parent PID | 0xf08 (c:\users\ciihmnxmn6ps\desktop\zotci.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
729C
0x
72B4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000fc23da0000 | 0xfc23da0000 | 0xfc23dbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000fc23dc0000 | 0xfc23dc0000 | 0xfc23dd3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000fc23de0000 | 0xfc23de0000 | 0xfc23e5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000fc23e60000 | 0xfc23e60000 | 0xfc23e63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000fc23e70000 | 0xfc23e70000 | 0xfc23e70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000fc23e80000 | 0xfc23e80000 | 0xfc23e81fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffc80000 | 0x7df5ffc80000 | 0x7ff5ffc7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7ca980000 | 0x7ff7ca980000 | 0x7ff7ca9a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7ca9ad000 | 0x7ff7ca9ad000 | 0x7ff7ca9aefff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7ca9af000 | 0x7ff7ca9af000 | 0x7ff7ca9affff | Private Memory | rw |
|
|
|
- |
| net.exe | 0x7ff7cac30000 | 0x7ff7cac4cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Process #134: net1.exe
20
0
| Information | Value |
|---|---|
| ID | #134 |
| File Name | c:\windows\system32\net1.exe |
| Command Line | C:\Windows\system32\net1 stop "samss" /y |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:04:36, Reason: Child Process |
| Unmonitor | End Time: 00:04:38, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x72b8 |
| Parent PID | 0x7298 (c:\windows\system32\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
72BC
0x
72C0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000f71b7c0000 | 0xf71b7c0000 | 0xf71b7dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f71b7c0000 | 0xf71b7c0000 | 0xf71b7cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000f71b7d0000 | 0xf71b7d0000 | 0xf71b7d6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f71b7e0000 | 0xf71b7e0000 | 0xf71b7f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f71b800000 | 0xf71b800000 | 0xf71b87ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f71b880000 | 0xf71b880000 | 0xf71b883fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f71b890000 | 0xf71b890000 | 0xf71b890fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f71b8a0000 | 0xf71b8a0000 | 0xf71b8a1fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f71b8b0000 | 0xf71b8b0000 | 0xf71b8b6fff | Private Memory | rw |
|
|
|
- |
| netmsg.dll | 0xf71b8c0000 | 0xf71b8c2fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000f71b8e0000 | 0xf71b8e0000 | 0xf71b9dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xf71b9e0000 | 0xf71ba9dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f71baa0000 | 0xf71baa0000 | 0xf71bb1ffff | Private Memory | rw |
|
|
|
- |
| netmsg.dll.mui | 0xf71bb20000 | 0xf71bb51fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f71bc90000 | 0xf71bc90000 | 0xf71bc9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff220000 | 0x7df5ff220000 | 0x7ff5ff21ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff648140000 | 0x7ff648140000 | 0x7ff64823ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff648240000 | 0x7ff648240000 | 0x7ff648262fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff648263000 | 0x7ff648263000 | 0x7ff648263fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64826c000 | 0x7ff64826c000 | 0x7ff64826dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff64826e000 | 0x7ff64826e000 | 0x7ff64826ffff | Private Memory | rw |
|
|
|
- |
| net1.exe | 0x7ff648fb0000 | 0x7ff648febfff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7ffc4d480000 | 0x7ffc4d493fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7ffc50ec0000 | 0x7ffc50ed7fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7ffc514b0000 | 0x7ffc514c5fff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7ffc51ca0000 | 0x7ffc51ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7ffc53830000 | 0x7ffc5383bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7ffc53840000 | 0x7ffc53865fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7ffc53ba0000 | 0x7ffc53bddfff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ffc543a0000 | 0x7ffc543c7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ffc55040000 | 0x7ffc5521cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ffc552c0000 | 0x7ffc5535cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ffc55800000 | 0x7ffc558acfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ffc570a0000 | 0x7ffc571c5fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ffc57540000 | 0x7ffc5759afff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ffc57b50000 | 0x7ffc57d11fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 71 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xf71b8c0000 |
|
1 | |
| Get Handle | c:\windows\system32\net1.exe | base_address = 0x7ff648fb0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 |
|
1 |
Service (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Control | service_name = SAMSS |
|
1 | |
| Get Info | service_name = SAMSS |
|
1 | |
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
